Removing or archiving inactive groups in Active Directory is essential.   Cleaning up inactive groups in Active Directory keeps your directory clean and organized and also can keep you safe.  It’s possible these orphaned groups can themselves be members of more critical groups.  It’s important that you don’t remove every group in Active Directory that doesn’t have a member.  Some groups without members are critical system groups.  You don’t want that in your reports or your clean-up script.  Keeping an orderly directory is part of creating a secure environment.  An Active Directory Clean Up Inactive Groups script is possible to write in PowerShell but has never been easier with Web Active Directory’s PeopleAudit.

Active Directory Clean Up Inactive Groups in PowerShell

When you run the following script on the server, it will only fetch inactive users. You can uncomment the line “Remove-AdGroup” to remove them. You could also move them to a special place you’ve reserved to archive them.

import-module activedirectory
Get-Adgroup -Filter * -Properties members, isCriticalSystemObject | where-object { ($_.members.count -eq 0 -AND !($_.IsCriticalSystemObject) -AND $_.DistinguishedName -notMatch 'Exchange Security' -AND `
$_.DistinguishedName -notMatch 'Dns') } |
ForEach-Object {
# Remove-ADGroup -Credential $BindUserCredentials -confirm:$false -identity $_.distinguishedname
Get-ADGroup -identity $_.distinguishedname
}

You’ll want to use something like Microsoft’s task scheduler to run this script unattended. You would also want to use a service account and use “-Credentials” on your PowerShell commands to keep things more secure.  It’s a good idea also to send notification emails when users have been archived or removed to create a log and history if running unattended.

Web Active Directory’s PeopleAudit

Web Active Directory’s PeopleAudit allows you to do run and/or schedule these jobs without writing PowerShell.

Safely and securely specify the service account to use to perform tasks.

Configure notifications and logging to keep you aware of what’s going on.

Easily specify and configure what constitutes an inactive group.

Customize and delegate out-of-the-box working web-based reports that can also be run and emailed automatically to user’s you choose.