There is no query that will retrieve empty OU's. You must query for all OU's, then count the number of child objects. This question must have been asked over a year ago, because I have a VBScript solution, which outputs the distinguished name of all empty
OU's in the domain:
Option
Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strADsPath
Dim objOU, lngCount, objChild
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain &
">"
' Filter on all OU objects.
strFilter = "(objectCategory=organizationalUnit)"
' Comma delimited list of attribute values to retrieve.
strAttributes = "ADsPath"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter &
";" & strAttributes &
";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") =
False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Wscript.Echo "Empty organizational Units:"
Do Until adoRecordset.EOF
' Retrieve values.
strADsPath = adoRecordset.Fields("ADsPath").Value
' Bind to the OU object.
Set objOU = GetObject(strADsPath)
' Check if empty.
lngCount = 0
For
Each objChild In objOU
lngCount = lngCount + 1
Exit
For
Next
If (lngCount = 0)
Then
Wscript.Echo objOU.distinguishedName
End
If
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
-----
Richard Mueller - MVP Directory Services
