VBS Script Find Empty AD Groups

The below is a great little VBS script to find all empty Active Directory groups in the current domain.

Usage

cscript c:\Find_Empty_AD_Groups.vbs //nologo

The empty AD groups will be listed in your command prompt window.

The Script

'Define Constants
Const ADS_SCOPE_SUBTREE = 2 ' Search target object and all sub levels
 
'Set Variables
DQ = Chr(34) 'Double Quote
 
'Create Objects
Set objShell = CreateObject("Wscript.Shell")
 
'Verifies script was run using CSCRIPT, and if not relauches it using CSCRIPT
If Not WScript.FullName = WScript.Path & "\cscript.exe" Then
	objShell.Popup "Launched using wscript. Relaunching...", 5, "WSCRIPT"
	objShell.Run "cmd.exe /k " & WScript.Path & "\cscript.exe //NOLOGO " & _
	DQ & WScript.scriptFullName & DQ, 1, False
	WScript.Quit 0
End If
 
'Construct an ADsPath to the Current Domain with rootDSE
Set objRootDSE = GetObject("LDAP://rootDSE")
strADsPath = "LDAP://" & objRootDSE.Get("defaultNamingContext")
 
'Connect to Active Directory
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
 
objCommand.CommandText = "SELECT ADsPath,cn,member FROM '" & strADsPath & _
"'" & " WHERE objectClass='group'"
Set objRecordSet = objCommand.Execute
 
If objRecordSet.EOF Then
	WScript.echo "Error, no groups found"
	WScript.quit
Else
	WScript.Echo "List of empty groups"
	WScript.Echo "============================================================="
	objRecordSet.MoveFirst
	Do Until objRecordSet.EOF
		strGroupName = objRecordSet.Fields("ADsPath").Value
		strCN = objRecordSet.Fields("cn").Value
		arrMembers = objRecordSet.Fields("member").Value
		If IsNull(arrMembers) Then
			'The group has no members
			
			'Show the Common name
			WScript.Echo strCN
			'To show the Distinguished name
			'WScript.Echo strGroupName
 
		End If
		objRecordSet.MoveNext
	Loop
End If
 
WScript.Echo "Script has finished"

Alternative PowerShell Method

If you would prefer to use PowerShell take a look at the below link for an alternative method.

5 thoughts on “VBS Script Find Empty AD Groups”

  1. Hello mate, thanks first for your effort, however I would need your assistance to find the results, any idea how to export it to an excel file or so?

    Regards

    Reply
  2. Hi and welcome, the below modified script will output to a csv file called Empty_AD_Groups_Report.csv which will be saved in the same location as where the script is run from.

    If you want a proper Excel file with formatting etc take a look here https://geekshangout.com/an-example-of-using-a-vbs-script-to-create-populate-and-format-an-excel-document/

    I hope this helps?

     

    Const ADS_SCOPE_SUBTREE = 2 ' Search target object and all sub levels

    Const ForReading = 1

    Const ForWriting = 2
    Const ForAppending = 8
     
    'Set Variables
    DQ = Chr(34) 'Double Quote
     
    'Create Objects
    Set objShell = CreateObject("Wscript.Shell")
    Set objFSO = CreateObject("Scripting.FileSystemObject")
     
     'Create the output file
    currentScriptPath = Replace(WScript.ScriptFullName, WScript.ScriptName, "")
    reportFile = currentScriptPath & "Empty_AD_Groups_Report.csv"
    Set objReportFile = objFSO.OpenTextFile(reportFile, ForWriting, True, True)
     
    'Verifies script was run using CSCRIPT, and if not relauches it using CSCRIPT
    If Not WScript.FullName = WScript.Path & "\cscript.exe" Then
        objShell.Popup "Launched using wscript. Relaunching…", 5, "WSCRIPT"
        objShell.Run "cmd.exe /k " & WScript.Path & "\cscript.exe //NOLOGO " & _
        DQ & WScript.scriptFullName & DQ, 1, False
        WScript.Quit 0
    End If
     
    'Construct an ADsPath to the Current Domain with rootDSE
    Set objRootDSE = GetObject("LDAP://rootDSE")
    strADsPath = "LDAP://" & objRootDSE.Get("defaultNamingContext")
     
    'Connect to Active Directory
    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand = CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    Set objCommand.ActiveConnection = objConnection
    objCommand.Properties("Page Size") = 1000
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
     
    objCommand.CommandText = "SELECT ADsPath,member FROM '" & strADsPath & _
    "'" & " WHERE objectClass='group'"
    Set objRecordSet = objCommand.Execute
     
    If objRecordSet.EOF Then
        WScript.echo "Error, no groups found"
        WScript.quit
    Else
        objReportFile.Write("List of empty groups")
        objReportFile.Write("=============================================================")
        objRecordSet.MoveFirst
        Do Until objRecordSet.EOF
            strGroupName = objRecordSet.Fields("ADsPath").Value
            arrMembers = objRecordSet.Fields("member").Value
            If IsNull(arrMembers) Then
                objReportFile.Write(strGroupName)
     
            End If
            objRecordSet.MoveNext
        Loop
    End If
     
    'Close the file
    objReportFile.Close


    WScript.Echo "Script has finished"

    Reply
  3. Hi,

     

    When i run this script i get a error saying An invalid Directory Pathname was Passed. Any clue what im doing wrong? I am a bit of a noob so might not be editing it correctly.

     

    Cheers,

    Ryan

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.