This PowerShell script is one of the most comprehensive you will find that provides a thorough overview and full report of all group objects in a domain. It is the culmination of many Active Directory audit and reviews and therefore contains valuable input from many customers.
A lot of thought has been put into the logic within this script to help an organisation understand:
- A breakdown of each group type (category and scope) that have been created
- Groups with no members
- Groups that are flagged as critical system objects
- Groups that are protected objects (AdminSDHolder) where their adminCount attribute is set to 1
- Groups that are conflicting/duplicate objects (name contains CNF: and/or sAMAccountName contains $Duplicate)
- Groups that are mail-enabled
- Distribution groups that are mail-disabled
- Groups that are Unix-enabled
- Groups that have expired
- Groups with SID history
- Groups with no Manager (managedBy)
- The non-“Microsoft” default groups that have been left in the default Users container
FYI:
- Mail-enabled groups are derived from the proxyAddresses, legacyExchangeDN, mailNickName, and reportToOriginator attributes, where reportToOriginator must be set to TRUE. This is not well documented.
- Unix-enabled groups are derived from the gidNumber, msSFU30Name, and msSFU30NisDomain attributes.