Skip to content

Finding all groups without a manager in a specific OU in AD

Last week, I showed you how you can easily find the OU to use when looking for the members of a specific OU. Today, I’d like to show you how I use that information. The background was that we use AD groups to control access to network shares. In order for IT support to know who is authorized to approve requests for access to these shares, we use the Managed By tab, assigning the owner of the network share as manager:

Screenshot of the Managed By tab of the properties for a AD Group

Unfortunately, a large number of these groups do not have an assigned owner, making things a little complicated. I was asked to provide a list of these groups so that we can try to find the tickets where they were requested in order to add this information. I started by finding the OU of one of these groups, before building my script.

First off, I know that I want to get an AD Group, so I use the Get-ADGroup command. I added the parameter -LDAPFilter "(!managedBy=*)" to filter out all those that has an entry in the Managed By field. For the sake of result validation, I tacked on the -Properties parameter with the ManagedBy value to ensure that it was added to the results. I specified the OU using the -SearchBase parameter followed by the OU in question (in quotation marks). In order to more easily manipulate the results, I piped it all to export using CSV.

My final query looked something like this: Get-ADGroup -LDAPFilter "(!managedBy=*)" -Properties ManagedBy -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" | Export-CSV -path .\GroupsManagedBy.csv

I opened the output CSV file in Excel, used the text to columns feature to separate it all to separate columns. Confirming that I had indeed not gotten any results with entries in the ManagedBy field, I copied the list to a separate Excel Workbook

I filtered out the groups that had a manager specified, and removed all extraneous information before passing the resulting list on to the colleague that had requested it.

By posting a comment, you consent to our collecting the information you enter. See privacy policy for more information.

This site uses Akismet to reduce spam. Learn how your comment data is processed.