Finding Active Directory groups that have not been changed in a long time can reveal other candidates for thorough inspection and possible clean up. Indeed, if a group has not been changed it means that nobody was added or removed from this group either. So, may be this group have been abandoned and is no longer used?
This is for you to find out. Here is the first step showing how to detect old groups:
PS C:> $last = (Get-Date) – (new-timespan -days 365)
PS C:> get-adgroup -SearchScope Subtree -SearchBase “DC=toronto,DC=local” -Properties whenChanged -filter {(whenChanged -le $last)} | select-object -property distinguishedName, whenChanged | export-csv c:testoldgroups.csv
This PowerShell snippet is very much like the one we’ve used in the post about empty groups. We are looking for all groups that have not been changed over the course of the last year to date (365 days). We then select their name and last changed date and dump the resulting list into a csv file.
One thing requires extra attention here. As you can see, we use the whenChanged attribute as an indication of when the group object was changed last time. According to Microsoft, whenChange is a non replicated attribute. However it gets updated locally on each DC once replication cycle kicks in. This might seem bullet proof and yet it can leave a considerable discrepancy in the attribute values across different DCs. If replication is not working properly whenChanged might be lagging behind for quite a bit.
That’s why it is important that you choose the most up-to-date domain controller such as PDC Emulator when running this script.
<< Active Directory User and Group Reporting: A practical guide for administrators