Active Directory
Cleanup Tool
Leaving stale, expired, and inactive accounts in Active Directory is a security risk. This tool quickly finds old accounts and allows you to bulk disable, delete, and more.
Key Features
Find Inactive Users and Computers
Attackers can use inactive accounts to try and hack into an organization. It is important to find these inactive accounts and disable them on a routine maintenance schedule. This tool can quickly find inactive accounts and lets you take action on them.
Bulk Move Accounts
A safe first step to cleaning up inactive accounts is to move them into another organizational unit. The Active Directory cleanup tool makes this easy. Just select the OU and all the selected accounts will be moved.
Easy To Use, No Scripting Required
This easy-to-use GUI tool required no coding or scripts. This saves you lots of time by not having to update or change complicated scripts.
Improve AD Security
The AD Cleanup Tool will help reduce security risks by finding stale AD objects that hackers or bad actors can use to gain unauthorized access to your networks.
Find Never Loggon On Users
You might be surprised at how many user accounts have never been used. This tool will easily display all accounts that have no logon activity. Carefully review these accounts and take action on them such as bulk moving to another OU or bulk disabling.
Get All Disabled Accounts
Disabled accounts can build up over time leaving Active Directory with unnecessary accounts. This can show up on audits, reports and add security risks. This also leads to data integrity issues with inventory and licensing.
Empty Groups
Find all Active Directory groups that have no members. This is a task most administrators don’t think to do because it’s hard to do unless you have the right tools.

“Our Active Directory was a huge mess. We used the AD Cleanup tool to find unused computer accounts and disabled them. We started with over 900 computers and found 300+ inactive accounts.”
Brian Stillwell – Sr. System Administrator
How to Cleanup Active Directory
The AD Cleanup tool makes it easy to cleanup Active Directory with its built in
Filters to display inactive users, computers, and empty groups. It just takes a few simple steps…
1. Get All Stale/Inactive User Accounts
To find stale user and computer accounts enter the timeframe in the search options and click run. In this example, I’m searching for accounts that have not been used within 15 days.
By default, the AD Cleanup tool will search for both users and computers. Use the filter options to limit the results to users only or computers only.

2. Find All Disabled Users
To find all disabled users select “Show Users” and then “Disabled Users” from the filter dropdown and then click “run”.
If you want to include disabled computers click on “Show Computers” and “Disabled Computers”

3. Get All Expired User Accounts
Expired accounts are accounts that have been set to expire on a specific date. You should review and determine if these are still valid accounts.
To display all expired accounts select “Show Users” and “Expired Users” from the filter menu and click run.

4. Display All Users Last Logon Time
The lastlogonTimestamp can help you determine if an account has been used recently. This attribute is updated when an account authenticates to the domain. To see all users last logon time uncheck the “no logons within” and click run. If an account has no timestamp it will display “Never Logged On”

5. Bulk Disable or Move to OU
When you have identified the accounts you want to cleanup it is recommended to first disable the accounts. To disable the accounts select them from the results grid and click the disable button. I recommend creating an OU called inactive users and moving the accounts there.

Try The AD Cleanup Tool For FREE
Join 100,000+ global IT professionals and enjoy efficient, optimized, and intuitive Active Directory management that saves time and makes your job easier.
