The AD Assessment reports that I regularly see lately from various “largish” “well known” Third Party Consulting companies seem to often be no more than bad opinions and sensationalism to try and make the customer feel good for over-paying for the AD “Consultants” to come in and look around.
Yes there are a lot of stupid things out there, stop making them out to be “end-of-the-world” class problems.
For example, a large number of empty groups is indeed silly and should be removed but it isn’t a substantial waste on your Active Directory causing excessive unnecessary replication nor is it going to massively slow down Active Directory or authentication. Plus there is always the possibility that the groups are used, just not populated except for certain times. For example, Schema Admins is generally empty in many orgs, should it be deleted? That is probably not the norm but telling a company to simply go delete 5,000 or 10,000 groups without any understanding of why they are there and if they are used at all is a bit shortsighted. It has been a long while since I tried to size out objects in AD But I seem to recall 10k empty groups with 60 character names was roughly 25MB. I am not going to haphazardly blow away groups that I am not sure about just to try and recoup 25MB. Heck even if I did that and then waited for the lifetime to expire on the tombstones I am not going to bother performing offline defrags to get that space back. If you are THAT tight on space in the world of the disks we have today, you have much greater issues my friend.
Another example, AD Sites that don’t have Domain Controllers… They aren’t the end of the world either and aren’t causing inefficiencies in user logons and extra authentication traffic. There are valid reasons for sites without Domain Controllers in an AD Topology for other applications and it is why it is handled so well by default with the closest DCs picking up those sites and registering DNS records for them.
Don’t get me wrong, I am a strong proponent of Object Life Cycle Management which is something many (probably most) companies screw up, but I am not a proponent of FUD Reports to justify stupidly highly paid outside consultants. So, when I get ahold of a report that has that FUD in it, don’t be surprised when I let the management know my opinion of the person who wrote it and their understanding of Active Directory.