Active Directory Cleanup Tool

Keep Active Directory secure and clean by reporting on inactive user and computer accounts.

Key Features

  • Find Inactive User Accounts
  • Find Inactive Computer Accounts
  • Bulk Move or Disable Accounts
  • Find Empty Security Groups

Features Overview

Find Inactive Accounts

Find inactive user and computer accounts that have not logged on in X number of days. The default search is 90 days, you can change this time to whatever you want.

Find Expired Accounts

Administrators will often set accounts to expire. But do they come back and delete the account? Most often these accounts are forgotten and hard to find. The Active Directory cleanup tool makes it easy to find all accounts that have expired.

Bulk Move Accounts

A safe first step to cleaning up inactive accounts is to move them to another organizational unit. The Active Directory cleanup tool makes this easy. Just select the OU and all the identified inactive accounts will be moved.

Find Disable Accounts

Just like inactive accounts, disabled accounts can build up over time leaving Active Directory with unnecessary accounts. This can show up on audits, reports and add security risk.

Find Unused Accounts

It's hard to believe that accounts get created but are never used but it does happen. These are just more accounts that clutter up Active Directory and leads to risk. The Active Directory cleanup tool can easily find and report on all accounts that have never been used.

Empty Groups

Find all Active Directory groups that have no members. This is a task most administrators don't think to do because it's hard to do unless you have the right tools.

How Does it Work?

The Active Directory Cleanup tool is very easy to use. It uses the built-in Windows Powershell tools so it is lightweight, very fast and requires no install.

See examples below.

Step 1: Open Tool

Open the tool with PowerShell ISE and click the run button.

ad-cleanup-1

Step 2: Type Get-InactiveUser

The help file is built into the tool, see the example section for which action you want to take.

In this example, I'll display all inactive user accounts.

In the script pane, enter the command Get-InactiveUser and hit enter

ad-cleanup-3

The report will display the user's name, last logon time and days inactive. You can search the results or sort on any column.

 

That is all there is to it. It took just two simple steps to run this tool and find all inactive user accounts.

More Examples

Find inactive users and move them to another OU.

Get-InactiveUser -Move

Change the default search from 90 to 30 days

Get-InactiveUser -Inactive 30

Find and disable inactive accounts

Get-InactiveUser -disable

Find all accounts that have never been used (no logon history)

Get-InactiveUser -NoLogon

Find all disabled accounts

Get-InactiveUser -DisabledAccounts

Export inactive accounts to CSV

Get-InactiveUser | export-csv c:\reports\inactiveusers.csv

Find Inactive Computer Accounts

Follow these steps to find all inactive computer accounts.

Step 1: Open Tool

Open the tool with PowerShell ISE and click the run button.

ad-cleanup-1

Now type the following command and hit enter

Get-InactiveComputer

The tool will search and display all inactive computer accounts.

 

More Examples

Change inactive time from the default 90 days to 30

Get-InactiveComputer -Inactive 30

Find inactive computers and disable them

Get-InactiveComputer -Disable

Find inactive computers and move them to another OU.

Get-InactiveComputer -Move

Find computer accounts with no logon information

Get-InactiveComputer - NoLogon

Find all disabled computer accounts

Get-InactiveComputer -DisabledAccounts

Find inactive computers and export to CSV

Get-InactiveComputer | Export-CSV -path c:\it\inactive-computers.csv

Find Inactive Security Groups

To find Active Directory groups that have no members use this command.

This function excludes most of the built in Active Directory security groups as you do not want to delete them.

Get-InactiveGroup
get-adcleanup-group

In the screenshot above you can see the tool found four security groups that had no members, it also displays the path so you know the location in Active Directory.

Active Directory Pro Toolkit

Huge savings if you buy the pro toolkit. Normally a single tool is $49 each, you can get all 9 tools for only $99