Active Directory
Cleanup Tool

Leaving stale, expired, and inactive accounts in Active Directory is a security risk. This tool quickly finds old accounts and allows you to bulk disable, delete, and more.

YouTube video

Key Features

Find Inactive Users and Computers

Attackers can use inactive accounts to try and hack into an organization. It is important to find these inactive accounts and disable them on a routine maintenance schedule. This tool can quickly find inactive accounts and lets you take action on them.

Bulk Move Accounts

A safe first step to cleaning up inactive accounts is to move them into another organizational unit. The Active Directory cleanup tool makes this easy. Just select the OU and all the selected accounts will be moved.

Easy To Use, No Scripting Required

This easy-to-use GUI tool required no coding or scripts. This saves you lots of time by not having to update or change complicated scripts.

Improve AD Security

The AD Cleanup Tool will help reduce security risks by finding stale AD objects that hackers or bad actors can use to gain unauthorized access to your networks.

Find Never Loggon On Users

You might be surprised at how many user accounts have never been used. This tool will easily display all accounts that have no logon activity. Carefully review these accounts and take action on them such as bulk moving to another OU or bulk disabling.

Get All Disabled Accounts

Disabled accounts can build up over time leaving Active Directory with unnecessary accounts. This can show up on audits, reports and add security risks. This also leads to data integrity issues with inventory and licensing.

Empty Groups

Find all Active Directory groups that have no members. This is a task most administrators don’t think to do because it’s hard to do unless you have the right tools.

“Our Active Directory was a huge mess. We used the AD Cleanup tool to find unused computer accounts and disabled them. We started with over 900 computers and found 300+ inactive accounts.”

Brian Stillwell – Sr. System Administrator

How to Cleanup Active Directory

The AD Cleanup tool makes it easy to cleanup Active Directory with its built in
Filters to display inactive users, computers, and empty groups. It just takes a few simple steps…

1. Get All Stale/Inactive User Accounts

To find stale user and computer accounts enter the timeframe in the search options and click run. In this example, I’m searching for accounts that have not been used within 15 days.

By default, the AD Cleanup tool will search for both users and computers. Use the filter options to limit the results to users only or computers only.

2. Find All Disabled Users

To find all disabled users select “Show Users” and then “Disabled Users” from the filter dropdown and then click “run”.

If you want to include disabled computers click on “Show Computers” and “Disabled Computers”

3. Get All Expired User Accounts

Expired accounts are accounts that have been set to expire on a specific date. You should review and determine if these are still valid accounts.

To display all expired accounts select “Show Users” and “Expired Users” from the filter menu and click run.

4. Display All Users Last Logon Time

The lastlogonTimestamp can help you determine if an account has been used recently. This attribute is updated when an account authenticates to the domain. To see all users last logon time uncheck the “no logons within” and click run. If an account has no timestamp it will display “Never Logged On”

5. Bulk Disable or Move to OU

When you have identified the accounts you want to cleanup it is recommended to first disable the accounts. To disable the accounts select them from the results grid and click the disable button. I recommend creating an OU called inactive users and moving the accounts there.

Try The AD Cleanup Tool For FREE

Join 100,000+ global IT professionals and enjoy efficient, optimized, and intuitive Active Directory management that saves time and makes your job easier.