Hi All,  the other day I had what I thought was a simple request, “create a report for all empty groups in the domain”.  I thought to myself, that sounds easy enough. I should be able to use “Get-ADGroup piped to Get-ADGroupMember where member  = 0 ” output to file DONE!

Here is my one-liner . I am setting the results as a variable, that will allow me  to work with the output later.

$emptyGroups = Get-ADGroup -Filter * | Where-Object {@(Get-ADGroupMember $_).Length -eq 0}

Output to screen

Write-host $emptyGroups.count -ForegroundColor Green “Number of empty groups”

After a few minutes  I received the following error

“Get-ADGroupMember : The size limit for this request was exceeded At line:1 char:60 + $emptyGroups = Get-ADGroup -Filter * | Where-Object {@(Get-ADGroupMember $_) … + ~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (CN=Domain Compu…t,DC=xxx,DC=org:ADGroup) [Get-ADGroupMember], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:8227,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember “

A couple of quick  searches later I found the answer,  it looks like it is a limitation imposed by the Active Directory Web Service. ADWS is a requirement for utilizing the ActiveDirectoy module for PowerShell. Now do I change the Microsoft.ActiveDirectory.WebServices.exe.config on every domain controller or find another way to get my report? Updating configs on DC requires change management and approval, I will schedule that change for another day.  Now back to the task at hand. I was looking for empty groups, not ones with over 5000 users. What else can query AD? Then I remembered DSQUERY command line for querying AD that should work. Lets see if it will query for groups

PS c:>Dsquery

dsquery computer – finds computers in the directory.
dsquery contact – finds contacts in the directory.
dsquery subnet – finds subnets in the directory.
dsquery group – finds groups in the directory.
dsquery ou – finds organizational units in the directory.
dsquery site – finds sites in the directory.
dsquery server – finds AD DCs/LDS instances in the directory.
dsquery user – finds users in the directory.
dsquery quota – finds quota specifications in the directory.
dsquery partition – finds partitions in the directory.
dsquery * – finds any object in the directory by using a generic LDAP query.

Now lets see if I can find the empty groups. Using the built in search options. 

The exclamation point – ! – indicates a NOT filter.  Should list all the groups that do not have members. 

-limit <NumberOfObjects>  Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for <NumberOfObjects>, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.

C:\>dsquery group “(&(!member=*))” -limit 0

dsquery failed:No superior reference has been configured for the directory service. The directory service is therefore unable to issue referrals to objects outside this forest.

Hmm, so that did not work. Let see here maybe search for  everything “*” and then apply a filter for object type group.

DSQuery * -Filter “(&(objectClass=group)(!member=*))” -Limit 0

-filter <LDAPFilter>  Specifies to use an explicit search filter, <LDAPFilter>, in the LDAP search filter format. For example, a valid search filter is (&(objectCategory=Person)(sn=smith*)). The default value for <LDAPFilter> is (objectClass=*).

That worked, woohoo! Now lets see if I can run that from powershell.

$emptygroupsdsq = $(DSQuery  *  -Filter “(&(objectClass=group)(!member=*))” -Limit 0 )

Humm the output is DN I wonder if I can clean that up?  I should be able to pipe it to a regular expression.

$emptygroupsdsq = $(DSQuery  *  -Filter “(&(objectClass=group)(!member=*))” -Limit 0 ) | %{$_.Split(“=”)[1].replace(“,OU”,””).replace(“,CN”,””)}

That did it, now I have a human readable report.  Now about updating Microsoft.ActiveDirectory.WebServices.exe.config…