Group Family Maintenance

We have created 2 Group Families in our domain. One of the group families is based on user's department. Over time, as user's departments have changed, a fairly significant number of the group family groups have become empty.

I would like to develop an automated process in powershell where by those groups in a group family that become empty will get deleted and removed from the captured groups list in the group family control object.

Is there any guidance on how one might accomplish this? Any information on policing these group families?

  • The following script finds controlled groups having empty membership:

    $groups = Get-QADGroup -Proxy -LdapFilter '(&(edsvaCGIsControlledGroup=TRUE)(!(member=*))'

    And the next script deletes found empty  groups:

    $groups | %{ Remove-QADObject $_ -Proxy }

  • That works great! I couldn't get your query filter to work due to the ! in the wrong place. I re-wrote it as follows

    $groups = Get-QADGroup -Proxy -LdapFilter '(&(edsvaCGIsControlledGroup=TRUE)(!member=*))'

    And it worked great.

    I have one related question though. If I delete the empty groups, what process cleans those groups out of the Controled Groups list in the group family object? Should I manually delete the 0 member groups from the controled groups list first and then delete the actual groups or should I do it in the opposite order. Or is there some process that cleans that up automatically?

  • The correct LDAP format would be:

    Get-QADGroup -Proxy -LdapFilter '(&(edsvaCGIsControlledGroup=TRUE)(!(member=*)))'

  • Ah! I see what the problem was with Sargay's first post. He's missing a paren at the end.

    I still would like info on how to clean out the controled groups in the group family object.

  • I was looking for an answer to this question also.

    Here is something I put together. I'm not all that great with powershell but this works.

    It would be nice to get the control group cleaned automatically when the group goes empty and the attribute in the set no longer is valid.

    $groups = Get-QADGroup -Proxy -LdapFilter '(&(edsvaCGIsControlledGroup=TRUE)(!(member=*)))' -IncludedProperties "edsvaCGControlledBy","objectGUID","cn"

    If ($groups)


    ForEach($group in $groups)


    $controlBy = $group.edsvaCGControlledBy

    $guid = $group.DirectoryEntry.objectGuid | convert-QADAttributeValue -outputTypeName 'Guid'

    $dn = $group.DN

    $cn = $

    #Write-Host $guid

    Get-QADGroup -Proxy -Identity $controlBy -IncludedProperties "edsvaGFValueCombinations" |

    % {

    $valueCombo = $_.edsvaGFValueCombinations

    $values = $valueCombo -split "<"

    ForEach($value in $values)


    #Write-Host $value

    If ($value.Contains($guid))


    $removeValue = "<" + $value

    $newValueCombo = $valueCombo -replace $removeValue, ""

    #Write-Host $newValueCombo



    Set-QADGroup -Proxy -Identity $controlBy -ObjectAttributes @{"edsvaGFValueCombinations"=$newValueCombo};


    #Write-Host "DELETE" $cn

    Remove-QADObject -Proxy $dn -Force

    Sleep -Seconds 2