Hello, My workplace has a large number of unnused security groups. This causes issues when the user is a member of so many groups that their token grows too large. This causes login issues when the user attempts to authenticate some other systems within our enterprise. I have been asked to do an audit of all the security groups in our domain and remove the ones that are not being used. I've been told that it's impossible to determine whether or not a security group is being used. Are there any untilities I can use to accomplish this? I need to remove the unnused groups without effecting our production environment. Thanks.

It can be a bit painful hunting down unused group. However, here are a couple of things to get you started: Create a custom query (or script) to find all security groups that do not have members. If a security group does not have a member, it is a prime candidate for deletion. There are a bunch of scripts already written that you can grab by searching the internet. Export all of the existing security groups to a spreadsheet. Then, use that as you go through the cleanup process. If a group is empty, mark it as empty on the spreadsheet, etc. Use a tool like DumpSEC (http://www.systemtools.com/somarsoft/?somarsoft.com) to dump folder permissions on your file servers. This will allow you to determine which groups are being used (thus, they are likely not candidates for deletion). In addition, this will often show you overlapping groups (groups that have the same purpose and may be consolidated). Look at other places where the security groups are being used and create scripts to dump/export the permissions. For example, you may be using groups to delegate Active Directory tasks, to grant local administrative rights on computers, etc. All of those permissions can be exported so you can determine which groups are in use (and also find more consolidation candidates). Hope that helps! Brian

Hi dbutch1976, In addition to the above suggestions, please also have a look at this article: How Can I Use Windows PowerShell 2.0 to Find Active Directory Domain Services Groups Not Being Used? http://blogs.technet.com/b/heyscriptingguy/archive/2010/07/22/hey-scripting-guy-how-can-i-use-windows-powershell-2-0-to-find-active-directory-domain-services-groups-not-being-used.aspx Hope it helps. Regards, BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for the tips guys, I'm sure they'll definately come in handy during my project.

Hello, I've begun using powershell commands to query my Active Directory. This command give me a listing of all the security groups in my AD: Get-ADGroup -filter {GroupCategory -eq "Security"} I'd like to modify the command to give me a list of all groups that were created before a certain date. I know that this information is tracked because if I open the properties of a security group in AD I can see the follow two fields which are applicable: whenChanged whenCreated Does anyone know how to get an output of all security groups create prior to December 1st 2005?