Active Directory Cleanup Tool
Keep Active Directory secure and clean by reporting on inactive user and computer accounts.
- Find Inactive User Accounts
- Find Inactive Computer Accounts
- Bulk Move or Disable Accounts
- Find Empty Security Groups
Find inactive user and computer accounts that have not logged on in X number of days. The default search is 90 days, you can change this time to whatever you want.
Administrators will often set accounts to expire. But do they come back and delete the account? Most often these accounts are forgotten and hard to find. The Active Directory cleanup tool makes it easy to find all accounts that have expired.
A safe first step to cleaning up inactive accounts is to move them to another organizational unit. The Active Directory cleanup tool makes this easy. Just select the OU and all the identified inactive accounts will be moved.
Just like inactive accounts, disabled accounts can build up over time leaving Active Directory with unnecessary accounts. This can show up on audits, reports and add security risk.
It's hard to believe that accounts get created but are never used but it does happen. These are just more accounts that clutter up Active Directory and leads to risk. The Active Directory cleanup tool can easily find and report on all accounts that have never been used.
Find all Active Directory groups that have no members. This is a task most administrators don't think to do because it's hard to do unless you have the right tools.
How Does it Work?
The Active Directory Cleanup tool is very easy to use, below you will find step by step instructions.
Example 1: Find all Inactive User Accounts
Step 1: Set Inactive Date
Using the calendar pick the inactivity time. I recommend 90 days since the last logon but you can choose any date you want.
Step 2: Click Search Button
With the date set now just click the search button to display all the inactive accounts.
The report will display the user's display name, samaccountname, enabled status and last logon date, all columns can be sorted on.
Step 2: Bulk Move or Disable Accounts (Optional)
This step is optional, you can move the inactive accounts to a separate organizational unit and disable them.
Just select the accounts and select "Disable Selected Users" then click apply
When you perform an action such as a move or disable accounts the tool will pop up and ask you to click ok to continue. This is just a safety feature so you don't accidentally disable the wrong accounts.
The accounts are now disabled.
Next, select "Move selected Users to OU" and click the select button. You can now select the OU you want to move the accounts to and click OK.
Click OK to move the accounts
Opoen Active Directory Users and Computers to verify the accounts are disabled and moved.
As you can see, it only took a few steps to identify all inactive user accounts, disable them and move them to another OU. These same steps should be completed for computer accounts. I recommend running these steps at least once a month to keep Active Directory secure and clean.
If you want to export the results to CSV just click the export button. Below is an example export of the inactive user accounts.
Find Expired User Accounts
Expired accounts are accounts that have an expired date set. These are often overlooked and can clutter up Active Directory. These accounts need to be cleaned up.
To find all expired accounts just select "Expired Users" and click search.
Find all Disabled User Accounts
To find all disabled user accounts select "Disabled Users" and click search
Find Unused User Accounts
You may be surprised at how many accounts are in Active Directory that has never been used. Some of these will be system accounts and that is to be expected. Don't disable or move the system accounts.
To find unused accounts select "Users with No Logon" and click search.
In the above screenshot the Guest, DefaultAccount, and krbtgt are system accounts and can be ignored. The Arya stark and Bran stark are user accounts and have never been used. You will need to research in your organization any unused accounts. Once you verify they are no longer valid accounts, disable and move them.
Find Inactive Computer Accounts
To find inactive computer accounts just switch to the computer tab, select your search criteria and click search.
Find Empty Unused Groups
In your environment, you may have hundreds to thousands of AD groups. The problem is there is no easy way to know if these groups are used or not.
The AD Cleanup tool can help by finding all groups that have no members. Groups with no members is a good indicator that it is not being used. This all depends on your environment, you may have valid groups that are empty and only have members at specific times.
To find empty groups just switch to the groups tap and click search
In my test lab, I ran this tool and found three groups that have no members. I know these groups are not being used so I can get rid of them.