AD Cleanup Tool
Identify and Cleanup Inactive User and
Computers in Active Directory
Easily scan your Active Directory environment for inactive user and computer accounts.
You can choose to disable, move, delete and export the objects from Active Directory.
Key Features
Enhance Security and Ensure Compliance Requirements
Removing unused accounts, reduces the risk of unauthorized access. It also minimizes the attack surface for potential threats.
Cleaning up AD also helps to ensure compliance with standards like GDPR, HIPAA, and others.
Inactive Users and Computers
Easily find stale user and computers objects in you Active Directory environment.
Inactive Users after x days
Find users that have not logged in after x days of inactivity.
Cleanup Inactive Accounts
Disable, delete, move to another OU, and export accounts details to CSV file.
Automate Cleanup Process
Use the built-in scheduler to automatically report, and cleanup AD objects.
Cleanup Group Policy
Easily find empty and unused GPO objects, find where GPOs are being used.
Find Empty Groups
Scan and find empty Active Directory groups. Groups with no members.
Unused Accounts
Find accounts that have not been used. No user logon timestamp.
Expire User Accounts
Get a list of user accounts that are expired and no longer active.
How it Works?
Step 1. Find Inactive users and computers
Click on “Security Tools” and then “AD Cleanup”.
Select “Inactive Users” select the inactive time (default is last 90 days) and click the “Run” button. This first step will only report inactive users.
Note: Select “Inactive Computers” to include computer accounts in the report.
Step 2. Disable accounts
Select the accounts you want to cleanup and click “Disable”.
Tip. You can also export the list of accounts to CSV or Excel by clicking the “Export” button.
Step 3. Move Accounts
It is recommended to move the accounts to an OU and leave them disabled for 90 days. I’ve created an OU called “Inactive” and I’ll move the disabled accounts into this OU.
Select the accounts and click the “Move” button. Then select the OU you want to move the accounts to.
Step 4. Delete the accounts
Tip: Before deleting accounts make sure you have the AD Recycle Bin enabled. This will make it easy to recover accounts if needed.
After the accounts have been disabled for 90 days and no issues then it is probably safe to delete them.
With the AD Cleanup Tool, you can automate the cleanup of inactive users and computers.
- Automatically disable stale accounts
- Automate moving and setting a description
- Send email reports on stale accounts
- Delete account that have been disabled for x days
Click on “Scheduler” and click the “Add” button to create an automated task.
Additional Features
The Toolkit includes the additional cleanup features.
Find Disabled Users
To find all disabled users click the “disabled users” box and click run.
Users with No Logons
Users with no logons are accounts that have no date in the lastlogonTimestamp attribute.
Click on “users with no logons” and click run.
Expired Users
Expired accounts are accounts that have a date set under the account expires settings.
To find all expired users click the “expired users” box and click run.
Find Inactive Computers
To find inactive computers click the “Inactive Computers” box select the time range and click run.
Find Empty Groups
Empty groups are groups that have no members.
To find all empty groups click the “empty groups” box and click run.
Cleanup Group Policy Objects
Just like user and computer accounts, there can be stale or unused GPOs in your environment. These unused or disabled GPOs can make a mess of your AD and cause confusion with other Administrators. The AD Pro Toolkit provides GPO reports and makes it easy to find unused GPOs.
To find unused GPOs click on Group Policy Report -> All GPOs
Any GPO that is not used will have the location blank. This means the GPO is not linked to the domain or an OU so it is currently not in use.
Cleanup Organizational Units (OUs)
To find all OUs that have no objects (meaning the OUs are empty) click on “OU Reports” and run the “All OUs and object count” report.
Customer Feedback
“We purchased Active Directory Pro so that our Helpdesk could quickly unlock user accounts, it is a top support call. It has also been a lifesaver in troubleshooting repeat lockouts and finding where users were getting locked out from.”
Diane Drye – IT Support Manager
“Our Active Directory was a huge mess. We used the AD Pro Toolkit to find unused computer accounts and disable them. We started with over 900 computer and found 300+ inactive accounts.”
Brian Stillwell – Sr. System Administrator
“I really like having a GUI method of interacting with Active Directory beyond the limited tools in Windows. We used to use scripts for most of our bulk updates and new user creation, AD Pro tools put everything in one place for convenient use anytime. “
Thad Taube – IT Systems Admin