JSI Tip 9786. Which security groups in your domain have no members?

Using ADFind.exe freeware, I have scripted SecGrpNoMbrs.bat to retrieve the distinguishedName of all security groups in your domain that do not have members.

To run SecGrpNoMbrs.bat, open a CMD.EXE window and type SecGrpNoMbrs.

SecGrpNoMbrs.bat contains:

@echo Off
setlocal ENABLEDELAYEDEXPANSION
set adf=adfind -default -f "&(objectcategory=group)" grouptype
for /f "Skip=3 Tokens=1* Delims=: " %%a in ('%adf%^|find ":"') do (
 set p1=%%a
 set p1=!p1:~1,1!
 if "!p1!" EQU "n" set dn="%%b"
 set OK=X
 if "!p1!" EQU "g" if "%%b" NEQ "2" call :getmbr !dn!>nul 2>&1
 if "!OK!" EQU "N" @echo !dn!
)
endlocal
goto :EOF
:getmbr
set OK=N
for /f "Tokens=*" %%x in ('adfind -nodn -nolabel -b %1 member^|find "="') do (
 set OK=Y
)



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish