How to Clean Up Active Directory: Best Practices and Tips

Cleaning up the Active Directory

Active Directory (AD) is one of those products that tend to get bloated. The more data you have on hand, the harder it is to do anything, from managing AD users to setting up AD backups. It’s a product where lots of people are making changes every day and ultimately ends up being this enormous pile of stuff that somehow still works. Even the most well-intentioned IT department always seems to end up with an Active Directory environment that’s got lots of user accounts no longer needed, GPOs attached to OUs people didn’t even know existed, and computer accounts that represented computers long gone. This state seems to creep up on people. One day, someone sits down in front of Active Directory Users and Computers (ADUC) and has that moment where they go, “Wow! This needs to be cleaned up.”

You’ve come to the right place. This article discusses how to clean up Active Directory using the best practices and other tips.

Signs you need to clean your Active Directory

Once you realize that your AD needs to be cleaned, it’s probably going to be a daunting and overwhelming task. You may start a project to “clean up stuff,” but you’ll soon find that right-clicking and deleting isn’t going to cut it.

There are lots of ways to make this project a success, with the first task being to define what exactly “clean up” means. For this article, we’ll approach “cleaning” AD as improving these 5 essential aspects.

  • Performance. Bloated AD can lead to unnecessary replication traffic. One of the most obvious signs of a poorly functioning AD is time: Is AD taking longer than usual to authenticate users, search for AD objects or download Group Policy objects?
  • Security.  Threat actors are always trying to exploit organizations. One way they try to do this is by attempting to gain access to networks by taking over Active Directory user accounts.
  • Compliance. Regular Active Directory cleanup helps you comply with regulatory mandates, from GDPR to PCI-DSS.
  • IT Operations. A cluttered Active Directory will make it much more difficult for IT administrators to manage. This can lead to inefficiency across the board as your IT team needs to spend more time using AD rather than other strategic projects.
  • Business Agility. Active Directory is fundamental to many tasks, and an AD cleanup can help you stay agile and maintain your competitive edge.

A poorly maintained Active Directory

  • Has plenty of dirty data (from stale to duplicated user accounts).
  • Has empty or duplicate distribution groups.
  • Gives poor insight into security group access permissions.
  • Displays a lack of established processes for provisioning and de-provisioning.
  • Cannot determine ownership of objects and groups.
  • Shows inaccurate or incomplete object attributes.

3 attributes of unused user accounts

Let’s now focus on unused user accounts. More specifically, let’s discuss the three attributes that might make a user account “deletable.” Those attributes are: a) disabled accounts, b) accounts that haven’t been used in X days, and c) accounts with expired passwords.

One of the easiest ways to find these potentially unused accounts is to use PowerShell. The ActiveDirectory PowerShell is a module that includes an extremely useful cmdlet called Search-AdAccount that makes building queries and returning exactly what we need easily. Before this cmdlet can be used, however, you must download the Remote Server Administration Tools (RSAT) package from Microsoft. Once RSAT is installed, you should have the ActiveDirectory module, and you’re ready to go! Also, for any of the below code to work, I’m assuming you’re on a Windows PC that’s domain-joined to the same domain as the users you’d like to find.

With that being said, let’s get to it!

Find disabled accounts in Active Directory

The first task is finding disabled accounts. To find disabled accounts, we’ll use the Search-ADAccount cmdlet. This cmdlet has a single parameter called Disabled which makes this task a cinch. Simply run Search-AdAccount -AccountDisabled and voila, all of your disabled accounts are shown. Notice below that I used the UsersOnly parameter because this cmdlet can also find disabled computer accounts as well.

C:> Search-ADAccount -UsersOnly -AccountDisabled -Server dc

AccountExpirationDate :
DistinguishedName : CN=Guest,CN=Users,DC=mylab,DC=local
Enabled : False
LastLogonDate :
LockedOut : False
Name : Guest
ObjectClass : user
ObjectGUID : 89cfaf2b-c6d8-4ae0-a720-e2da7d201717
PasswordExpired : False
PasswordNeverExpires : True
SamAccountName : Guest
SID : S-1-5-21-4117810001-3432493942-696130396-501
UserPrincipalName :
............

Find inactive user accounts in active directory

Another usual suspect to clean up is inactive user accounts which are a little harder to track down. “Inactive” is a subjective term so for our purposes we’re going to define “inactive” as any user as having a value of LastLogonTimeStamp older than 30 days. You’ll find lots of articles on the Internet about finding inactive users but some people don’t realize that it’s much easier than building complicated AD LDAP filters. The support is native in Search-AdAccount.

We can use  Search-AdAccount -AccountInactive -UsersOnly -Timespan 30.00:00:00 to immediately find all AD user accounts that haven’t been used in 30 days.

There is one caveat though. Microsoft only updates the LastLogonTimestamp attribute, which is the same as LastLogonDate, once every 14 days to prevent replication storms. Because of this characteristic of AD, using this method (or even Get-AdUser or Get-AdComputer with the advanced filter) won’t be 100% accurate if you’re attempting to get accounts with inactivity older than 14 days. So be forewarned.

Finally, we need to find all AD users that have an expired password that are no longer needed. This one is tricky because “active” user accounts could have an expired password if it just recently expired. I not only need to find expired passwords but also how long ago they expired. If they expired, say, 30 days or longer ago I can assume that these user accounts are, in fact, inactive.

To find how long ago a password expired, I first have to find the maximum password age for the domain’s password policy. I can do this with the Get-AdDefaultDomainPasswordPolicy cmdlet.

$MaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

Next, I can find all user accounts that have an expired password then filter those users’ accounts by seeing the last time their password was last set and ensuring that was before the maximum time the password could be plus 30 (how old I’m defining the account to be).

The code will look something like this:

Search-AdAccount -PasswordExpired -UsersOnly | Where-Object {((Get-Date) - (Get-AdUser -Filter "samAccountName -eq $_.SamAccountName").PasswordLastSet) -lt ($MaxPasswordAge + 30)}

The next time you’re searching AD for inactive records, be sure to look at Search-AdAccount to see if it already does what you’re trying to do. It might just save you a ton of time!

Benefits of an AD cleanup

Active Directory is Windows’ proprietary directory service, estimated to be used by 90% of organizations worldwide, according to TechRadar.

Its popularity is well-deserved: AD is fundamental to our daily working lives, allowing companies to define who can do what in their network while managing various resources, endpoint devices, and systems.

By cleaning up your AD, you ensure that your company maintains operational efficiency, boosts data integrity, and practices better data governance. This is an essential process all MSPs, MSSPs, and IT enterprises must include in their maintenance strategies to continue delivering high-quality services to their end-users.

Best practices for Active Directory cleanup

Aside from what I mentioned earlier (what with finding disabled and inactive accounts in Active Directory and all), it would be prudent to discuss other best practices for Active Directory cleanup so your IT network remains efficient, secure, and compliant.

Clean obsolete group policies

Unnecessary group policy objects (GPOs) can slow down your AD. It’s wise to regularly review and disconnect these GPOs through PowerShell or the Group Policy Management Console.

Optimize user logon scripts

Bad logon scripts can significantly impact performance. To see the full impact of these scripts, try using PowerShell, particularly the Get-GPResultantSetOfPolicy. If you feel it’s necessary, you can also force a group policy update remotely.

Audit security groups

As with anything you manage, it’s a good idea to regularly check your security groups using PowerShell commands such as Get-ADGroupMember. For a full script on modifying user membership, check out this NinjaOne script. Remember: empty, inactive, or single-user groups most likely serve no purpose to your organization.

Manage Active Directory replication

Ensure that you fine-tune replication intervals and optimize topologies to boost AD performance. I’ll emphasize again that “cleaning up Active Directory” is so much more than just deleting accounts and hoping for the best. Rather, it’s a multi-step process that also requires IT administrators to reorganize user accounts and Active Directory groups. I recommend using this NinjaOne script to view your Active Directory Replication health report.

Manage Active Directory users with NinjaOne

NinjaOne provides an Active Directory Management tool built directly into its trusted endpoint management platform. With NinjaOne, you can easily disable accounts, unlock users, reset passwords, and so much more— all from a single pane of glass!

If you’re ready, request a free quote or watch a demo.

Adam Bertram is a Microsoft Windows Cloud and Datacenter Management MVP and has authored various training courses, is a regular contributor to numerous print and online publications and presents at various user groups and conferences. You can find Adam at adamtheautomator.com.

Adam Bertram photo

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about Ninja Endpoint Management, check out a live tour, or start your free trial of the NinjaOne platform.

You might also like

Ready to simplify the hardest parts of IT?
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).