Active Directory Cleanup Best Practices
Best practice #1: remove disabled accounts
A crucial part of Active Directory cleanup is monitoring for disabled user and computer accounts, and removing them when appropriate. When employees go on extended leave or leave an organization completely, it’s common practice for organizations to disable their account through Active Directory. Depending on their length of leave, administrators might choose to retain their credentials and information for a definite period.
It’s imperative that administrators check for disabled accounts regularly. Even when an employee account no longer functions, hackers can still exploit their credentials, phish for login information by sending requests to the IT desk, and trigger costly security breaches. In addition to crowding the system and increasing security risks, disabled accounts can also cause compliance problems by showing up on audit reports.
Administrators should detail a grace period to accommodate employees on extended leave and establish a firm date after which disabled accounts will be deleted from the system. The length of the grace period will vary depending on the organization. Before deleting an account completely, administrators should backup any organizational information for future use.
Best practice #2: find and remove inactive accounts
Sometimes, an account remains on the network without being disabled. Inactive users are defined, by default, as users who haven’t attempted to access data in 90 days or more. But depending on the organization, the standard idle period may be shorter or longer. Like disabled accounts, inactive accounts can pose a security risk, and they’re often overlooked during account removal.
Finding and removing disabled and inactive accounts can be done by writing scripts and commands. But writing scripts at regular intervals can be a tiresome and time-consuming process. Instead, you can more easily accomplish both tasks by using AD cleanup tools.
Most cleanup software for Active Directory enables admins to identify inactive accounts by filtering through the last login date or by checking the elapsed time since a user last attempted to access information. Since inactive accounts may still technically be in use, admins should avoid removing them in bulk. Instead, it’s advisable to set them aside or move them to a separate organizational unit (OU) if the administrator is uncertain.
Software like SolarWinds RMM, for instance, contains a set of built-in scripts that enable users to scan directly for disabled and inactive accounts through Active Directory. Automation Manager allows you to create processes for everything, without having to learn complex scripting languages. IT administrators can then reorganize accounts by name or date, and select and delete disabled or inactive accounts as needed.
Best practice #3: delete unused accounts
It’s common to find accounts in Active Directory that have never been used. Like disabled or inactive accounts that remain in the system, neglected unused accounts can slow down your Active Directory system or make your organization vulnerable to data breaches.
When cleaning up Active Directory metadata, admins should run scripts to search for unused accounts or accounts with no logons. Some unused accounts will be systems or guest accounts which you can leave untouched, but many may be accounts set up in duplicate or simply forgotten by the user.
Best practice #4: tackle accounts with expired passwords
In addition to disabled and inactive accounts, cleanup administrators should look for Active Directory user accounts and passwords that have expired. Administrators typically set passwords and accounts to expire after a given period to safeguard information. But user accounts and passwords often expire without admins being alerted about them and must therefore be cleaned up.
Expired passwords and user logins are often an indicator the account has been inactive for an extended period. But administrators should note that expired accounts are different from inactive accounts, and it’s possible that the account may still be in use. When checking for expired passwords, admins should run separate checks to help ensure that expired passwords or accounts haven’t been in use before deleting. As with disabled accounts, admins should backup any organizational data before deleting.
Best practice #5: consolidate or remove inactive or empty groups
A single organization is likely to have hundreds—or even thousands—of Active Directory groups. In addition to reorganizing and deleting obsolete accounts, AD cleanup involves finding, removing, or consolidating inactive or empty groups.
If a group has no users—or alternatively, no active users, then it’s likely the group will only clutter your system and can be eliminated. Administrators should note that only default Active Directory groups should remain empty. As with dealing with inactive or disabled accounts, admins should ensure the groups aren’t in use before selecting them for removal.
Like individual accounts, you can find Active Directory groups manually by writing separate scripts for each command. Alternatively, any AD cleanup software will come with automated scripts that can check for inactive and empty groups at predesignated intervals.
Best practice #6: identify and remove single user groups
Occasionally, Active Directory groups will contain only a single user. Like empty or inactive groups, single-user groups likely serve no purpose and make the organization vulnerable to external attacks. Groups with one user may not be visible at first, but administrators can isolate them by using a command script organizing groups by numbers of persons or by using AD cleanup software. These groups should also be deleted or consolidated to save space and help reduce vulnerabilities.
Best practice #7: organize and move accounts in bulk
Cleaning up Active Directory involves more than simple account deletions. Keeping Active Directory systems clean often also requires that admins reorganize individual user accounts and Active Directory groups. For many companies, this means removing, modifying, and reconfiguring accounts in bulk to save time and stay organized.
When organizing user accounts, administrators will have to import and modify accounts in bulk, change multiple passwords, or alter display names on multiple machines so that Active Directory systems stay clean and perform optimally. When managing group credentials, admins will also have to delete or modify group information across multiple machines and delete inactive groups in bulk.
Occasionally, when admins are unsure whether to remove selected accounts, they can temporarily move the accounts into new OUs for easy monitoring. Finally, since the IT environment for most organizations is distributed across different machines, admins may need to run scripts on multiple machines at once and carry out bulk actions across machines.
Managing bulk accounts can prove especially difficult when organizations scale quickly and manually writing scripts is no longer efficient. Juggling different attributes of hundreds of Active Directory user accounts can present a substantial challenge, even when an organization has the necessary resources. SolarWinds RMM enables users to easily move accounts in bulk and carry out bulk actions across multiple machines—all from one centralized dashboard.
Best practice #8: automate active directory cleanups
To help mitigate security risks and prevent obsolete accounts from impacting Active Directory performance, AD cleanups should be conducted at regular intervals. Most of the tasks that fall under Active Directory management and cleanup—such as removing disabled and inactive accounts, deleting empty and inactive groups, and locating expired user accounts and passwords—can be done by writing scripts. As previously mentioned, many of these tasks can be accomplished by downloading a PowerShell module. But even when using a PowerShell module to build scripts, IT admins should automate replicable cleanup tasks with a tool like SolarWinds Automation Manager whenever possible to save time.
Especially as organizations grow, the number of active users (both internal and external) may expand at an alarming rate. The number of user accounts in Active Directory can quickly reach beyond what administrative employees can manually accommodate. If the organization relies on writing scripts to handle routine tasks, obsolete objects will likely accumulate at a rapid clip. In larger organizations and enterprises, IT departments will need to rely on automated Active Directory maintenance to avoid writing custom scripts every time. Process automation accelerates the cleanup process, minimizes human error, and helps ensure adherence to best practices.
IT admins can build automation directly into their AD cleanup scripts, but again, this may prove difficult when tackling user accounts and objects in bulk. For larger organizations or organizations with advanced IT environments, admins should consider investing in AD cleanup software that offers ready-to-run scripts.