Enumerate All Empty Active Directory Groups

Enumerate All Empty Active Directory Groups

The following script was created to enumerate all the empty groups that exist in an Active Directory.

This output of the script can be piped to a text file.

Basic steps are
1) Create connection to Active Directory domain
2) Create recordset from query, filtering in only empty groups
3) Enumerate through recordset, displaying name of group
4) Cleanup

Option Explicit

On Error Resume Next

Dim objCommand
Dim objConnection
Dim objRootDSE
Dim strDNSDomain
Dim strBase
Dim objSystemInfo
Dim strDomain
Dim strFilter
Dim strAttributes
Dim strQuery
Dim objRecordset
Dim strGroupName

Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")

objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = ""

Set objSystemInfo = CreateObject("ADSystemInfo")
strDomain = objSystemInfo.DomainShortName

strFilter = "(&(objectCategory=group)(!member=*))"

strAttributes = "sAMAccountName"

strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False

Set objRecordset = objCommand.Execute

Do Until objRecordset.EOF
strGroupName = objRecordset.Fields("sAMAccountName").Value
WScript.Echo strGroupName


Set objRecordset = Nothing
Set objSystemInfo = Nothing
Set objRootDSE = Nothing
Set objConnection = Nothing
Set objCommand = Nothing


Leave a Reply

Your email address will not be published. Required fields are marked *