Active Directory Cleanup Best Practices

Active Directory is a Microsoft scripting tool that manages domain information and user interactions with network services. It’s widely used among managed services providers (MSPs) to manage employee credentials and access permissions.

Active Directory stores user information as objects, which can accumulate and become obsolete over time. Although Active Directory uses encryption, administrators must regularly clean up user accounts and objects to help ensure optimum performance and network security.

Poor management and cleanup procedures can leave organizations exposed to cyberattacks and can result in costly data breaches. In the following article, we take a look at best practices for Active Directory cleanup, as well as how AD cleanup tools like SolarWinds® RMM and Automation Manager can automate the process.

What Is Metadata Cleanup in Active Directory?

Metadata cleanup is an essential procedure that removes obsolete domain controllers and related objects from your Active Directory. As employees leave or change positions within an organization, computer and user accounts become obsolete. Inactive and obsolete Active Directory accounts not only clutter up disk space—leading to inconsistencies in data—they also pose a serious threat to network security. Hackers are more likely to exploit unused or expired account information to enter your system.

Regular metadata cleanup in Active Directory is crucial to helping ensure your Active Directory environment is functioning efficiently. Typically, metadata cleanup involves pulling up Active Directory account activity, seeking out obsolete domain controller and computer accounts, and removing outdated accounts and all related domain controller objects. It can also involve removing historical data and retooling configurations that may impact performance.

AD cleanups can be difficult and resource-intensive if IT administrators manually write complex scripts. Fortunately, there are many options when it comes to cleaning up Active Directory systems. IT administrators can download PowerShell modules to help speed up the process. PowerShell enables administrative users to more easily build powerful Active Directory management, cleanup, and automation scripts. Automation Manager from SolarWinds MSP allows you to set up sophisticated automated tasks to scale your business fast.

However, as organizations grow and Active Directory cleanup grows more complex, even writing PowerShell scripts can become too time-consuming. For larger organizations and enterprises, there are AD cleanup tools on the market that provide an easy-to-use interface and preset scripts that can accelerate and automate cleanup.

How often and how extensively you monitor Active Directory accounts and activity will ultimately depend on the size and needs of your organization. In what follows, we list some general best practices for Active Directory cleanup that every MSP technician should know, regardless of their toolkit.

Best practices for cleaning up Active Directory

Best practice #1: remove disabled accounts

A crucial part of Active Directory cleanup is monitoring for disabled user and computer accounts, and removing them when appropriate. When employees go on extended leave or leave an organization completely, it’s common practice for organizations to disable their account through Active Directory. Depending on their length of leave, administrators might choose to retain their credentials and information for a definite period.

It’s imperative that administrators check for disabled accounts regularly. Even when an employee account no longer functions, hackers can still exploit their credentials, phish for login information by sending requests to the IT desk, and trigger costly security breaches. In addition to crowding the system and increasing security risks, disabled accounts can also cause compliance problems by showing up on audit reports.

Administrators should detail a grace period to accommodate employees on extended leave and establish a firm date after which disabled accounts will be deleted from the system. The length of the grace period will vary depending on the organization. Before deleting an account completely, administrators should backup any organizational information for future use.

Best practice #2: find and remove inactive accounts

Sometimes, an account remains on the network without being disabled. Inactive users are defined, by default, as users who haven’t attempted to access data in 90 days or more. But depending on the organization, the standard idle period may be shorter or longer. Like disabled accounts, inactive accounts can pose a security risk, and they’re often overlooked during account removal.

Finding and removing disabled and inactive accounts can be done by writing scripts and commands. But writing scripts at regular intervals can be a tiresome and time-consuming process. Instead, you can more easily accomplish both tasks by using AD cleanup tools.

Most cleanup software for Active Directory enables admins to identify inactive accounts by filtering through the last login date or by checking the elapsed time since a user last attempted to access information. Since inactive accounts may still technically be in use, admins should avoid removing them in bulk. Instead, it’s advisable to set them aside or move them to a separate organizational unit (OU) if the administrator is uncertain.

Software like SolarWinds RMM, for instance, contains a set of built-in scripts that enable users to scan directly for disabled and inactive accounts through Active Directory. Automation Manager allows you to create processes for everything, without having to learn complex scripting languages. IT administrators can then reorganize accounts by name or date, and select and delete disabled or inactive accounts as needed.

Best practice #3: delete unused accounts

It’s common to find accounts in Active Directory that have never been used. Like disabled or inactive accounts that remain in the system, neglected unused accounts can slow down your Active Directory system or make your organization vulnerable to data breaches.

When cleaning up Active Directory metadata, admins should run scripts to search for unused accounts or accounts with no logons. Some unused accounts will be systems or guest accounts which you can leave untouched, but many may be accounts set up in duplicate or simply forgotten by the user.

Best practice #4: tackle accounts with expired passwords

In addition to disabled and inactive accounts, cleanup administrators should look for Active Directory user accounts and passwords that have expired. Administrators typically set passwords and accounts to expire after a given period to safeguard information. But user accounts and passwords often expire without admins being alerted about them and must therefore be cleaned up.

Expired passwords and user logins are often an indicator the account has been inactive for an extended period. But administrators should note that expired accounts are different from inactive accounts, and it’s possible that the account may still be in use. When checking for expired passwords, admins should run separate checks to help ensure that expired passwords or accounts haven’t been in use before deleting. As with disabled accounts, admins should backup any organizational data before deleting.

Best practice #5: consolidate or remove inactive or empty groups

A single organization is likely to have hundreds—or even thousands—of Active Directory groups. In addition to reorganizing and deleting obsolete accounts, AD cleanup involves finding, removing, or consolidating inactive or empty groups.

If a group has no users—or alternatively, no active users, then it’s likely the group will only clutter your system and can be eliminated. Administrators should note that only default Active Directory groups should remain empty. As with dealing with inactive or disabled accounts, admins should ensure the groups aren’t in use before selecting them for removal.

Like individual accounts, you can find Active Directory groups manually by writing separate scripts for each command. Alternatively, any AD cleanup software will come with automated scripts that can check for inactive and empty groups at predesignated intervals.

Best practice #6: identify and remove single user groups  

Occasionally, Active Directory groups will contain only a single user. Like empty or inactive groups, single-user groups likely serve no purpose and make the organization vulnerable to external attacks. Groups with one user may not be visible at first, but administrators can isolate them by using a command script organizing groups by numbers of persons or by using AD cleanup software. These groups should also be deleted or consolidated to save space and help reduce vulnerabilities.

Best practice #7: organize and move accounts in bulk  

Cleaning up Active Directory involves more than simple account deletions. Keeping Active Directory systems clean often also requires that admins reorganize individual user accounts and Active Directory groups. For many companies, this means removing, modifying, and reconfiguring accounts in bulk to save time and stay organized.

When organizing user accounts, administrators will have to import and modify accounts in bulk, change multiple passwords, or alter display names on multiple machines so that Active Directory systems stay clean and perform optimally. When managing group credentials, admins will also have to delete or modify group information across multiple machines and delete inactive groups in bulk.

Occasionally, when admins are unsure whether to remove selected accounts, they can temporarily move the accounts into new OUs for easy monitoring. Finally, since the IT environment for most organizations is distributed across different machines, admins may need to run scripts on multiple machines at once and carry out bulk actions across machines.

Managing bulk accounts can prove especially difficult when organizations scale quickly and manually writing scripts is no longer efficient. Juggling different attributes of hundreds of Active Directory user accounts can present a substantial challenge, even when an organization has the necessary resources. SolarWinds RMM enables users to easily move accounts in bulk and carry out bulk actions across multiple machines—all from one centralized dashboard.

Best practice #8: automate active directory cleanups

To help mitigate security risks and prevent obsolete accounts from impacting Active Directory performance, AD cleanups should be conducted at regular intervals. Most of the tasks that fall under Active Directory management and cleanup—such as removing disabled and inactive accounts, deleting empty and inactive groups, and locating expired user accounts and passwords—can be done by writing scripts. As previously mentioned, many of these tasks can be accomplished by downloading a PowerShell module. But even when using a PowerShell module to build scripts, IT admins should automate replicable cleanup tasks with a tool like SolarWinds Automation Manager whenever possible to save time.

Especially as organizations grow, the number of active users (both internal and external) may expand at an alarming rate. The number of user accounts in Active Directory can quickly reach beyond what administrative employees can manually accommodate. If the organization relies on writing scripts to handle routine tasks, obsolete objects will likely accumulate at a rapid clip. In larger organizations and enterprises, IT departments will need to rely on automated Active Directory maintenance to avoid writing custom scripts every time. Process automation accelerates the cleanup process, minimizes human error, and helps ensure adherence to best practices.

IT admins can build automation directly into their AD cleanup scripts, but again, this may prove difficult when tackling user accounts and objects in bulk. For larger organizations or organizations with advanced IT environments, admins should consider investing in AD cleanup software that offers ready-to-run scripts.

SolarWinds RMM and Automation Manager give organizations the freedom to automate over 100 tasks from a single interface. RMM can automate onboarding, enact account changes in bulk, and schedule default or customized scripts to run at scheduled intervals—embedding AD cleanup into your regular workflow for increased security and efficiency.


For more information on Group Policy and Active Directory, read through our related blog articles.