Skip to content

Active Directory Cleanup Tool

Keep Active Directory secure and clean by reporting on inactive user and computer accounts.

Key Features

  • Find Inactive User Accounts
  • Find Inactive Computer Accounts
  • Bulk Move or Disable Accounts
  • Find Empty Security Groups

Features Overview

Find Inactive Accounts

Find inactive user and computer accounts that have not logged on in X number of days. The default search is 90 days, you can change this time to whatever you want.

Find Expired Accounts

Administrators will often set accounts to expire. But do they come back and delete the account? Most often these accounts are forgotten and hard to find. The Active Directory cleanup tool makes it easy to find all accounts that have expired.

Bulk Move Accounts

A safe first step to cleaning up inactive accounts is to move them to another organizational unit. The Active Directory cleanup tool makes this easy. Just select the OU and all the identified inactive accounts will be moved.

Find Disable Accounts

Just like inactive accounts, disabled accounts can build up over time leaving Active Directory with unnecessary accounts. This can show up on audits, reports and add security risk.

Find Unused Accounts

It's hard to believe that accounts get created but are never used but it does happen. These are just more accounts that clutter up Active Directory and leads to risk. The Active Directory cleanup tool can easily find and report on all accounts that have never been used.

Empty Groups

Find all Active Directory groups that have no members. This is a task most administrators don't think to do because it's hard to do unless you have the right tools.

How Does it Work?

The Active Directory Cleanup tool is very easy to use, below you will find step by step instructions.

Example 1: Find all Inactive User Accounts

Step 1: Set Inactive Date

Using the calendar pick the inactivity time. I recommend 90 days since the last logon but you can choose any date you want.

ad-cleanup-tool-1

Step 2: Click Search Button

With the date set now just click the search button to display all the inactive accounts.

ad-cleanup-tool-2

The report will display the user's display name, samaccountname, enabled status and last logon date, all columns can be sorted on.

Step 2: Bulk Move or Disable Accounts (Optional)

This step is optional, you can move the inactive accounts to a separate organizational unit and disable them.

Just select the accounts and select "Disable Selected Users" then click apply

Disable all inactive user accounts
Disable all inactive user accounts

When you perform an action such as a move or disable accounts the tool will pop up and ask you to click ok to continue. This is just a safety feature so you don't accidentally disable the wrong accounts.

ad-cleanup-tool-5

The accounts are now disabled.

Next, select "Move selected Users to OU" and click the select button. You can now select the OU you want to move the accounts to and click OK.

ad-cleanup-tool-6
ad-cleanup-tool-7

Click OK to move the accounts

Opoen Active Directory Users and Computers to verify the accounts are disabled and moved.

ad-cleanup-tool-8

As you can see, it only took a few steps to identify all inactive user accounts, disable them and move them to another OU. These same steps should be completed for computer accounts. I recommend running these steps at least once a month to keep Active Directory secure and clean.

Export Results

If you want to export the results to CSV just click the export button. Below is an example export of the inactive user accounts.

Inactive Users exported to CSV
Inactive Users exported to CSV

Find Expired User Accounts

Expired accounts are accounts that have an expired date set. These are often overlooked and can clutter up Active Directory. These accounts need to be cleaned up.

Example Active Directory expired account
Example Active Directory expired account

To find all expired accounts just select "Expired Users" and click search.

List of Active Directory Expired User Accounts
List of Active Directory Expired User Accounts

Find all Disabled User Accounts

To find all disabled user accounts select "Disabled Users" and click search

ad-cleanup-tool-9

Find Unused User Accounts

You may be surprised at how many accounts are in Active Directory that has never been used. Some of these will be system accounts and that is to be expected. Don't disable or move the system accounts.

To find unused accounts select "Users with No Logon" and click search.

ad-cleanup-tool-12

In the above screenshot the Guest, DefaultAccount, and krbtgt are system accounts and can be ignored. The Arya stark and Bran stark are user accounts and have never been used. You will need to research in your organization any unused accounts. Once you verify they are no longer valid accounts, disable and move them.

Find Inactive Computer Accounts

To find inactive computer accounts just switch to the computer tab, select your search criteria and click search.

ad-cleanup-tool-13

Find Empty Unused Groups

In your environment, you may have hundreds to thousands of AD groups. The problem is there is no easy way to know if these groups are used or not.

The AD Cleanup tool can help by finding all groups that have no members. Groups with no members is a good indicator that it is not being used. This all depends on your environment, you may have valid groups that are empty and only have members at specific times.

To find empty groups just switch to the groups tap and click search

List of groups with no members
List of groups with no members

In my test lab, I ran this tool and found three groups that have no members. I know these groups are not being used so I can get rid of them.