Active Directory (AD) is one of those products that tend to get bloated. The more data you have on hand, the harder it is to do anything, from managing AD users to setting up AD backups. It’s a product where lots of people are making changes every day and ultimately ends up being this enormous pile of stuff that somehow still works. Even the most well-intentioned IT department always seems to end up with an Active Directory environment that’s got lots of user accounts no longer needed, GPOs attached to OUs people didn’t even know existed, and computer accounts that represented computers long gone. This state seems to creep up on people. One day, someone sits down in front of Active Directory Users and Computers (ADUC) and has that moment where they go, “Wow! This needs to be cleaned up.”
You’ve come to the right place. This article discusses how to clean up Active Directory using the best practices and other tips.
Signs you need to clean your Active Directory
Once you realize that your AD needs to be cleaned, it’s probably going to be a daunting and overwhelming task. You may start a project to “clean up stuff,” but you’ll soon find that right-clicking and deleting isn’t going to cut it.
There are lots of ways to make this project a success, with the first task being to define what exactly “clean up” means. For this article, we’ll approach “cleaning” AD as improving these 5 essential aspects.
- Performance. Bloated AD can lead to unnecessary replication traffic. One of the most obvious signs of a poorly functioning AD is time: Is AD taking longer than usual to authenticate users, search for AD objects or download Group Policy objects?
- Security. Threat actors are always trying to exploit organizations. One way they try to do this is by attempting to gain access to networks by taking over Active Directory user accounts.
- Compliance. Regular Active Directory cleanup helps you comply with regulatory mandates, from GDPR to PCI-DSS.
- IT Operations. A cluttered Active Directory will make it much more difficult for IT administrators to manage. This can lead to inefficiency across the board as your IT team needs to spend more time using AD rather than other strategic projects.
- Business Agility. Active Directory is fundamental to many tasks, and an AD cleanup can help you stay agile and maintain your competitive edge.
A poorly maintained Active Directory
- Has plenty of dirty data (from stale to duplicated user accounts).
- Has empty or duplicate distribution groups.
- Gives poor insight into security group access permissions.
- Displays a lack of established processes for provisioning and de-provisioning.
- Cannot determine ownership of objects and groups.
- Shows inaccurate or incomplete object attributes.
3 attributes of unused user accounts
Let’s now focus on unused user accounts. More specifically, let’s discuss the three attributes that might make a user account “deletable.” Those attributes are: a) disabled accounts, b) accounts that haven’t been used in X days, and c) accounts with expired passwords.
One of the easiest ways to find these potentially unused accounts is to use PowerShell. The ActiveDirectory PowerShell is a module that includes an extremely useful cmdlet called Search-AdAccount that makes building queries and returning exactly what we need easily. Before this cmdlet can be used, however, you must download the Remote Server Administration Tools (RSAT) package from Microsoft. Once RSAT is installed, you should have the ActiveDirectory module, and you’re ready to go! Also, for any of the below code to work, I’m assuming you’re on a Windows PC that’s domain-joined to the same domain as the users you’d like to find.
With that being said, let’s get to it!
Find disabled accounts in Active Directory
The first task is finding disabled accounts. To find disabled accounts, we’ll use the Search-ADAccount cmdlet. This cmdlet has a single parameter called Disabled which makes this task a cinch. Simply run Search-AdAccount -AccountDisabled and voila, all of your disabled accounts are shown. Notice below that I used the UsersOnly parameter because this cmdlet can also find disabled computer accounts as well.
C:> Search-ADAccount -UsersOnly -AccountDisabled -Server dc AccountExpirationDate : DistinguishedName : CN=Guest,CN=Users,DC=mylab,DC=local Enabled : False LastLogonDate : LockedOut : False Name : Guest ObjectClass : user ObjectGUID : 89cfaf2b-c6d8-4ae0-a720-e2da7d201717 PasswordExpired : False PasswordNeverExpires : True SamAccountName : Guest SID : S-1-5-21-4117810001-3432493942-696130396-501 UserPrincipalName : ............
Find inactive user accounts in active directory
Another usual suspect to clean up is inactive user accounts which are a little harder to track down. “Inactive” is a subjective term so for our purposes we’re going to define “inactive” as any user as having a value of LastLogonTimeStamp older than 30 days. You’ll find lots of articles on the Internet about finding inactive users but some people don’t realize that it’s much easier than building complicated AD LDAP filters. The support is native in Search-AdAccount.
We can use Search-AdAccount -AccountInactive -UsersOnly -Timespan 30.00:00:00
to immediately find all AD user accounts that haven’t been used in 30 days.
There is one caveat though. Microsoft only updates the LastLogonTimestamp attribute, which is the same as LastLogonDate, once every 14 days to prevent replication storms. Because of this characteristic of AD, using this method (or even Get-AdUser or Get-AdComputer with the advanced filter) won’t be 100% accurate if you’re attempting to get accounts with inactivity older than 14 days. So be forewarned.
Finally, we need to find all AD users that have an expired password that are no longer needed. This one is tricky because “active” user accounts could have an expired password if it just recently expired. I not only need to find expired passwords but also how long ago they expired. If they expired, say, 30 days or longer ago I can assume that these user accounts are, in fact, inactive.
To find how long ago a password expired, I first have to find the maximum password age for the domain’s password policy. I can do this with the Get-AdDefaultDomainPasswordPolicy cmdlet.
$MaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
Next, I can find all user accounts that have an expired password then filter those users’ accounts by seeing the last time their password was last set and ensuring that was before the maximum time the password could be plus 30 (how old I’m defining the account to be).
The code will look something like this:
Search-AdAccount -PasswordExpired -UsersOnly | Where-Object {((Get-Date) - (Get-AdUser -Filter "samAccountName -eq $_.SamAccountName").PasswordLastSet) -lt ($MaxPasswordAge + 30)}
The next time you’re searching AD for inactive records, be sure to look at Search-AdAccount to see if it already does what you’re trying to do. It might just save you a ton of time!
Benefits of an AD cleanup
Active Directory is Windows’ proprietary directory service, estimated to be used by 90% of organizations worldwide, according to TechRadar.
Its popularity is well-deserved: AD is fundamental to our daily working lives, allowing companies to define who can do what in their network while managing various resources, endpoint devices, and systems.
By cleaning up your AD, you ensure that your company maintains operational efficiency, boosts data integrity, and practices better data governance. This is an essential process all MSPs, MSSPs, and IT enterprises must include in their maintenance strategies to continue delivering high-quality services to their end-users.
Best practices for Active Directory cleanup
Aside from what I mentioned earlier (what with finding disabled and inactive accounts in Active Directory and all), it would be prudent to discuss other best practices for Active Directory cleanup so your IT network remains efficient, secure, and compliant.
Clean obsolete group policies
Unnecessary group policy objects (GPOs) can slow down your AD. It’s wise to regularly review and disconnect these GPOs through PowerShell or the Group Policy Management Console.
Optimize user logon scripts
Bad logon scripts can significantly impact performance. To see the full impact of these scripts, try using PowerShell, particularly the Get-GPResultantSetOfPolicy. If you feel it’s necessary, you can also force a group policy update remotely.
Audit security groups
As with anything you manage, it’s a good idea to regularly check your security groups using PowerShell commands such as Get-ADGroupMember. For a full script on modifying user membership, check out this NinjaOne script. Remember: empty, inactive, or single-user groups most likely serve no purpose to your organization.
Manage Active Directory replication
Ensure that you fine-tune replication intervals and optimize topologies to boost AD performance. I’ll emphasize again that “cleaning up Active Directory” is so much more than just deleting accounts and hoping for the best. Rather, it’s a multi-step process that also requires IT administrators to reorganize user accounts and Active Directory groups. I recommend using this NinjaOne script to view your Active Directory Replication health report.
Manage Active Directory users with NinjaOne
NinjaOne provides an Active Directory Management tool built directly into its trusted endpoint management platform. With NinjaOne, you can easily disable accounts, unlock users, reset passwords, and so much more— all from a single pane of glass!
If you’re ready, request a free quote or watch a demo.
Adam Bertram is a Microsoft Windows Cloud and Datacenter Management MVP and has authored various training courses, is a regular contributor to numerous print and online publications and presents at various user groups and conferences. You can find Adam at adamtheautomator.com.