Active Directory Clean-up

As a best practice, we have always been told to keep our Active Directory as clean as possible. There are many reasons to follow this simple rule. Stale user accounts which belong to employees who have leaved the company pose security risks to your network and allow malicious intruders to steal the credential and login and access your network. Additionally, obsolete Active Directory objects can clutter your Active Directory database and consequently makes the replication process time-consuming and bandwidth-wasting. Moreover, with the appearance of cloud-based directory services, the Microsoft version of which is called Azure Active Directory, whose price is directly affected by the number of AD objects, it is of paramount importance for big organizations to keep their Active Directory freshened up, using an AD clean-up tool.

 

What is the definition of Active Directory stale objects and how to remove them? Any Active Directory objects, including user, computer group, etc., which is not directly used by any employee or service, whether temporarily or permanently, must be carefully examined and considered for removing or disabling. Borna AD manager helps you find all unnecessary and stale AD objects, and take appropriate action. Furthermore, you can define automations to perform Active Directory clean-up periodically without taking any manual action.

 

A typical AD clean-up tool usually contains the following reports and features:

 

active directory disabled users report for AD clean-up
 

Disabled users report

Disabled user report allows you to find all disabled user in your domain and remove, enable or move them in bulk. You can also export report result to an Excel file.

Account expired users

Even if you set an expiration time for a user object when it is being created, which is a completely recommended security practice, you might forget to delete the object when expired. Needless to say, IT department does not often being informed about employees who leave their company. As a result, expired user accounts usually remain in Active Directory, clogging the AD database. Account expired users report in Borna AD manager lists all expired users. You can easily manage these users, including removing, modifying, enabling, etc.

 

Recently inactive users

As it has been mentioned earlier, in many circumstances, HR department often misses informing IT department about users that left the company. An effective AD clean-up tool should list the users who has not been logged in for a certain amount of time. Using recently inactive users, you can specify a period of time during which users did not logged in. It is recommended to generate this report periodically and remove these inactive users to have a freshened-up Active Directory.

Users never logged on

In some cases, some user accounts are being created and remain intact and useless forever. It not only poses a threat to you network, but also clutters Active Directory database. An AD clean-up tool, like Borna AD manager, lists all unused user accounts and lets you manage them.

 

 

active directory inactive user reports for AD clean-up

 

 To see a list of all AD user reports, visit Active Directory Reports.

 

active directory inactive computers report for AD clean-up
 

Last logged on based reports

Using this report, you can see a list of computers to which no user has logged on in the past X days. This report comes in handy to detect and remove computers nobody uses.

Disabled computers

Computers, like employees, are always in a state of flux, particularly when e new technology is introduced or the existing computers does not fulfill the employees’ needs. In such situations, administrators usually disable these computer accounts. After a few years, these disabled computer accounts can even outnumber enable computers. Hence, it is wise to use an AD clean-up tool to detect these objects and remove them.

 

Groups without members

Many security groups are being created in Active Directory to give certain privileges to some users. However, as time passes, some groups lose their functionality and become empty. If any user accidentally becomes a member of these group, the user will obtain unnecessary and potentially harmful privileges. As a result, these groups should be deleted as soon as possible. Borna AD clean-up tool helps you find all users that have no member and manage them altogether.

 

 

active directory empty group report for AD clean-up

 

Report account with empty attributes (Account Expired Time)

In some cases, administrators or other employees to whom the responsibility of creating users is delegated neglect to fill account expiration time. Users without account expired time attributes can log in to their domain forever. Thus, administrators should constantly check Active Directory users to find the ones who are no longer allowed to log in. With Borna AD clean-up tool you can see a list of all users whose account expired attribute are empty and manage them, for instance you can set an expiration time for all of them simultaneously.

Automatic Clean-up Strategy

Clean-up process is a periodic and ongoing task. How to know it is the right time to start cleaning-up? How often should we clean up AD? It is really difficult to tell even in specific scenarios, let alone for the general case. Note that cleaning up is a cure. The best way to manage AD objects is to prevent unnecessary objects to exist at first place. Although sound unfamiliar, it is possible to define automatic tasks which handles these objects periodically without requiring administrators aim. To see how to define automation visit Active Directory Automation.