locked
Empty group really has members RRS feed

  • Question

  • Hi,

    I am trying to find all empty AD groups to be removed.

    i run Get-ADGroup -filter {Groupcatagory -eq 'security'} | where-object {@(get-adgroupmember $_).length -eq 0}  i send this to a txt file then run it through a few validations to make sure they really are empty.

    i have found 1 group we call student_test  the members parameter is showing {} which is blank.

    If i look at teh group there are some members in it.

    I would first like to understand why a group that has members is coming back as empty 

    i was looking for a tried and tru way of getting all empty AD groups in a domain to then use that listing to be removed.

    Wednesday, March 21, 2018 6:31 PM

Answers

  • Hi,

    Since you want to delete the groups, I recommend pull all the groups and check if the groups has any members with get-Adgroupmembers if there is no members your condition for delete.

    I would also recommend if you have multiple domain controllers check for any replication issues.  If there is any replication issues fix the issues.

    Second run the query from the server where you have infrastructure master role installed because infrastructure master keeps the group membership information's.

    Thanks

    Syed.

     


    Dont forget to mark as Answered if you found this post helpful.

    • Marked as answer by JRRemillard Wednesday, March 21, 2018 7:49 PM
    Wednesday, March 21, 2018 7:41 PM

All replies

  • Hi,

    Try using the dsquery to find if you are getting the same result.

    DSQuery * -Filter "(&(sAMAccountType=268435456)(!member=*))" -Limit 0 >C:\EmptyGroups.txt

    Thanks

    Syed


    Dont forget to mark as Answered if you found this post helpful.


    • Edited by Syed Abdul Wednesday, March 21, 2018 6:46 PM
    Wednesday, March 21, 2018 6:46 PM
  • Thank you

    One of the groups that has members did show up in this query too.

    Why would a group show up in so many different querries as empty when it is not.

    i have use ad cmdlets

    quest cmdlets

    and now this query

    Wednesday, March 21, 2018 7:11 PM
  • Hi,

    On all the query it is the same group?

    Thanks

    Syed


    Dont forget to mark as Answered if you found this post helpful.

    Wednesday, March 21, 2018 7:21 PM
  • There are a few that come back but actually have members in it. that is what is concerning me. i want to delte the empty groups and we have over 1200 but i am concerned that they are not all truly empty.

    i am speaking about the group student_test because that is one that i noticed right away and i can look for quickly because i remember it.

    Wednesday, March 21, 2018 7:29 PM
  • Hi,

    Since you want to delete the groups, I recommend pull all the groups and check if the groups has any members with get-Adgroupmembers if there is no members your condition for delete.

    I would also recommend if you have multiple domain controllers check for any replication issues.  If there is any replication issues fix the issues.

    Second run the query from the server where you have infrastructure master role installed because infrastructure master keeps the group membership information's.

    Thanks

    Syed.

     


    Dont forget to mark as Answered if you found this post helpful.

    • Marked as answer by JRRemillard Wednesday, March 21, 2018 7:49 PM
    Wednesday, March 21, 2018 7:41 PM
  • The Get-ADGroupMember cmdlet should reveal all group members that are security principals. So it reveals members that are users, computers, or groups. But it does not reveal members that are contacts. Does this account for what you experience?

    Methods and tools that check the member attribute of the group object reveal members of all classes, but this ignores any members that have the group designated as their "primary" group. This is why the group "Domain Users" can appear to be empty, since by default all users have this group designated as their primary. The same with Domain Computers, the default primary group for all computers. The Get-ADGroupMember cmdlet reveals primary group membership as well as normal group membership (in the member attribute of groups).

    Edit: Finding empty groups can be tricky, so I wrote and tested a PowerShell script for the purpose, published in the TechNet Script Gallery:

    https://gallery.technet.microsoft.com/PowerShell-Script-to-Find-1bff13b5

    This takes into account the complications I mentioned above.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Wednesday, March 21, 2018 9:12 PM