Active Directory Cleanup Guide

Home / Docs / Active Directory Cleanup Guide

With the AD Pro Toolkit, you can perform an Active Directory cleanup to find stale users, computers, expired accounts, users with no logons, empty groups and unused group policy objects. The toolkit makes it easy to find and cleanup inactive accounts in Active Directory without using complicated scripts. You can choose to set a description, delete, disable, move and export inactive objects in Active Directory. In addition, you can use the built-in scheduler to automate the cleanup process.

Note: The AD Pro Toolkit uses the lastLogonTimestamp on both user and computer objects to identify inactive accounts.

Active Directory Cleanup Steps

Step 1: Open the AD Pro Toolkit

Click on “Security Tools” and then AD Cleanup.

ad cleanup

Step 2: Choose search options

cleanup search options
  • Inactive users: Finds inactive users by lastLogonTimestamp, default is last 90 days.
  • Inactive computers: Find inactive computers by lastLogonTimestamp, default is last 90 days.
  • Disabled Users: Lists all user accounts that are disabled.
  • Disabled computers: List all computer accounts that are disabled.
  • Users with no logons: Lists all users were the lastLogonTimestamp has never been updated.
  • Computers with no logons: Lists all computers were the lastLogonTimestamp has never been updated.
  • Expired Users: Lists all expired user accounts.
  • Empty groups: List all groups that have no members

    Step 3: Choose Path and Time

    By default, the toolkit will search the entire domain. Click browse if you want to search a specific OU or group.

    browse OU

    If you want to change the time frame, click the Time button and choose a different time.

    set last logon time

    Step 4: Click “Run” to generate the report

    When you click run the toolkit will search Active Directory for inactive accounts and list them in the grid.

    generate the report of inactive accounts

    Step 5. Select Cleanup Actions

    Select the accounts you want to cleanup and then choose an action.

    cleanup actions
    • Update Description: This will allow you to set the description field on the object in AD.
    • Delete: This will delete the selected objects.
    • Disable: This will disable the selected objects. You can also set the description when disabling the accounts.
    • Enable: This will enable the selected objects.
    • Move: Move the selected objects to another OU.
    • Export: Export the generated report to csv, excel or pdf file.

    Automate Active Directory Cleanup

    To automate the AD cleanup process, refer to the documents below.