I am stuck trying to figure out how to get all Active Directory groups that are empty. I came up with this command, which selects groups that have no Members and aren't a MemberOf anything.
Get-QADGroup -GroupType Security -SizeLimit 0 | where-object {$_.Members.Count -eq 0 -and $_.MemberOf.Count -eq 0} | select GroupName, ParentContainer | Export-Csv c:\emptygroups.csv
This is mostly correct, but it's saying certain groups like the default group Domain Computers is empty, but it isn't empty. This particular group has only members that are computers, but it appears that other groups that only have computers as well aren't selected.
Does anyone know why this command is pulling in some that have members?
The Get-QADGroup cmdlet has a parameter -Empty. The description in the help hints at the reason these default groups are being returned:
Note: A group is considered empty if it has the "member" attribute not set. So, this parameter can retrieve a group that has only those members for which the group is set as the primary group. An example is the Domain Users group, which normally is the primary group for any user account while having the "member" attribute not set.
I'm not really familiar with the Quest stuff, but I was able to find empty groups this way, (probably not the most efficient):
Get-ADGroup -Filter {GroupCategory -eq 'Security'} | ?{@(Get-ADGroupMember $_).Length -eq 0}