You can find the empty groups from your domain using below powershell command.

Import-Module activedirectory
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name | Export-Csv D:\emprtygroups.csv –NoTypeInformation

To find empty groups from any specific OU present in other domain:-

Import-Module activedirectory
Get-ADGroup -Filter * -Properties Members -searchbase “OU fqdn” –server  | where {-not $_.members} | select Name | Export-Csv D:\emprtygroups.csv –NoTypeInformation


Netwrix has recently published a free reference guide for configuring Windows server Auditing. This guide has details of how to configure Local audit policies, Windows registry auditing, Event log settings & Event ID’s generated for all audit related settings.

Microsoft has recently updated AD Maximum Limits – Scalability topic to show the improvements in Windows Server 2012. There are updates related to RID, MaxTokenSize. So go thorough this URL and update your knowledge 😉

Find all Empty GPO’s

Posted: October 16, 2012 in GPO, Scripts

Easiest way to find empty GPO is to check the User and Computer version no of each and every GPO. If user and computer version no is zero then that GPO is considered as empty. So how do we check the version no ? If we have more than 100 GPO then it is difficult to check the version no one by one manually.. In this situation we can use the below powershell commands to query the version no of GPOs.

PowerShell Code:-

Import-module grouppolicy

$gpos = get-gpo -All

foreach ($item in $gpos) {

if ($item.Computer.DSVersion -eq 0 -and $item.User.DSVersion -eq 0) {

write-host $item.Displayname



As far as i know ADfind.exe is one of the best tool which is used to pull object details from AD database. In this tool we can use any LDAP query that you can think of.

So here I’m going to use the same tool to pull this group details based on group scope ie. Universal Distribution Group, Universal Security Group, Security Distribution Group, Security Security Group, DomainLocal Distribution Group & DomainLocal Security Group

Before we start we should know the grouptype attribue & samaccounttype attribute of these group scope.

1) Adfind -f objectcategory=group :- List groups in present domain

2) Adfind -bit -f “(&(objectcategory=group)(samaccounttype=268435457)(grouptype:=AND=8))”  :- List all the universal distribution groups.

3) Adfind  -bit –f  “(&(objectcategory=group)(grouptype:AND= -2147483640))”  :- List all the universal security  groups

4) Adfind  -bit –f “(&(objectcategory=group)(grouptype:OR:=8))”  :- List all the universal  security  & distribution groups

5) adfind -bit -f “(&(objectcategory=group)(samaccounttype=268435457)(grouptype:=2) :- List all the global distribution groups

6) adfind -bit -f “(&(objectcategory=group)(grouptype:AND:=2147483646))” :- List all the global security group.

7) adfind -bit -f “(&(objectcategory=group)(grouptype:OR:=2))” :- List all the global security & distribution groups

8) adfind -bit -f “(&(objectcategory=group)(!member=*))” name :- list the empty groups in domain.


We might have heard 100 times that we should not keep Infrastructure Master role & Global Catalog in same DC. But most of the admins are not sure about the exact reason behind this. If you know how Infrastructure Master is working, it is really easy to find the logic behind this concept.

Infrastructure Master is used to maintain references to objects in other domain, known as
phantoms. So in a single domain environment it dosent matter where you keep the IM  role. If an object from Domain B is a member of a group in Domain A, infrastructure master in Domain A is responsible for maintaining a reference to this phantom object members. Infrastructure Master used to continually maintain the phantoms whenever the objects they refer are changed or moved in the object domain. It doses this by contacting the Global Catalog (because GC is always up to date and does not have any stale record) and compare the data’s. If Infrastructure Master finds any update info then it updates phantoms and replicates the information to other DC’s.

However if the DC has Im role and you have enabled GC on this DC the the DC has the up to date information Infrastructure Master thinks like there is no changes happened for the phantoms and it will never update any non GC DC’s.