This project is read-only.
Project Description
This tool scans Active Directory for groups with matching or empty membership lists, identifying redundant groups that can possibly be eliminated.

Once you scan active directory for groups with matching membership, you'll know which groups may be an opportunity to eliminate redundancy, so you can lower the management overhead of ensuring they remain consistent.

Also, this tool can list which groups are completely empty, and those groups can be removed without impacting any user permissions at all. While permissions might still be assigned to the group somewhere on your network, no users are in the group, meaning that they're getting their access from membership in another group somewhere else.

AD Group Comparison.gif


To use the tool, just follow these instructions:
  1. Load the tool
  2. Ensure that "Domain to load" matches the domain you'd like to search
  3. Set "Match behavior" (default is only exact matches - can be changed to match groups that are "close")
  4. Let's Go!
The tool will list every group on your domain in the upper-left listbox - selecting any group in this list will show you the members below. Once you select a group, matching groups will be displayed in the upper right listbox, and clicking on any one of these will also show the membership below (this will be an exact match if you selected "Show only exact matches" - the default - or will be different if you selected to allow differences).

There are also display options in the lower left - changing these options will refresh the screen, but will not require the tool to re-scan all active directory groups.
  • Include groups with no matches - by default, the group list will only show groups that have at least one other match. Selecting this option will show all groups in the "Domain Groups" list, and selecting one without any matching groups will still populate the "Group Members" list, but will leave the "Matching Groups" list empty.
  • Empty Groups - whether you want to show empty groups in the "Domain Groups" list. You can select to include them normally (and display "matching" empty groups), exclude them from the list, or show only empty groups (if you're looking for groups to remove)

That's it! Any suggestions or feature requests are welcome, and I hope this tool is helpful!

Last edited Aug 1, 2013 at 5:04 PM by rwmnau, version 3