Using the Active Directory command-line tools, I have scripted NoMembers.bat to display the distinguished name of all domain groups that have no members.
The syntax for using NoMembers.bat is:
NoMembers
NoMembers.bat contains:
@echo off
setlocal ENABLEDELAYEDEXPANSION
for /f "Tokens=*" %%a in ('dsquery group') do (
call :quiet %%a >nul 2>&1
if "!mbr!" EQU "N" @echo %%a
)
endlocal
goto :EOF
:quiet
set mbr=N
for /f "Tokens=*" %%m in ('dsget group %1 -members') do (
set mbr=Y
)