How to Cleanup Active Directory
In this guide, I’ll show you how to cleanup Active Directory using the AD Pro Toolkit. The toolkit lets you easily find stale objects in your Active Directory and disable, delete, move and export the accounts.
Note - To automate AD Cleanup see our Automation Guides
How to find Inactive AD Users
- Click on “AD Cleanup” from the User Management page. (It’s also listed under Security Tools).
- Select an OU or leave it as the default to run on the entire domain.
- Select the time frame (default is last 90 days) and click run.
To export the report, click the export button and select from CSV, Excel or PDF.
To move accounts to another OU select them from the results grid and click the move button.
To disable accounts, select them from the results grid and click the disable button.
Find Disabled Active Directory Users
To find all disabled users click the “disabled users” box and click run.
Users with No Logons
Users with no logons are accounts that have no date in the lastlogonTimestamp attribute.
Click on “users with no logons” and click run.
Expired Users
Expired accounts are accounts that have a date set under the account expires settings.
To find all expired users click the “expired users” box and click run.
Find Inactive Computers
To find inactive computers click the “Inactive Computers” box select the time range and click run.
Find Empty Groups
Empty groups are groups that have no members.
To find all empty groups click the “empty groups” box and click run.
Move or Disable Stale User and Computer Accounts
The AD Cleanup Tool lets you move and disable stale accounts. You can easily run a clean up on single or multiple accounts in Active Directory. The recommended way to clean up stale accounts is to move them to an inactive OU, disable them for x days and then delete the account.
Cleanup Group Policy Objects
Just like user and computer accounts, there can be stale or unused GPOs in your environment. These unused or disabled GPOs can make a mess of your AD and cause confusion with other Administrators. The AD Pro Toolkit provides GPO reports and makes it easy to find unused GPOs.
To find unused GPOs click on Group Policy Report -> All GPOs