AD Groups with Low Member Count

  • Article

When I was a Systems Administrator, it was often tough to find time to be proactive and housekeep. However, this is a key part of the role. What I used to do is dedicate time each week to expanding my arsenal of scripts. These little beauties performed the many mundane, but necessary, Active Directory housekeeping tasks.

Checking that groups are in use and have appropriate memberships, not only keeps your AD neat and tidy, it also reduces the available attack surface.

 

Here's how to get a count of groups without any members:

 
Get-ADGroup -Filter {members -notlike "*"} -Properties members | Measure-Object

 

 

Here's how to get a count of groups with just one member:

 

Get-ADGroup -Filter {members -like "*"} -Properties members | Where-Object {$_.members.count -le 1} | Measure-Object

 

 

Looks like I need to do some work!

 

Adjust the above PS as necessary...