<

Improve company productivity with a Business Account.Sign Up

x

Active Directory Cleanup Tool (ADCleanup)

Published on
18,826 Points
1,126 Views
7 Endorsements
Last Modified:
Shaun Vermaak
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..

Introduction


ADCleanup is my implementation of a set-and-forget Active Directory cleanup tool. Once this tool is implemented correctly, you never need to worry about dormant accounts ever again.


Implementation


1) Download and extract ADCleanup.zip (here is VirusTotal scan) to a folder of your choice, saved on the computer on which it will be scheduled to run.

2) Create a location in Active Directory to store inactive user accounts and record the distinguished name (DN).




3) Create a location in Active Directory to store inactive computer accounts and record the distinguished name (DN).



4) Run Configurator.exe (Configurator Editor).


a) On the Encrypt tab, enter the password for the account that will be performing the cleanup task. Encrypt it with key 9hOK7AtlGOCRyBtBdhF9pnTQuk8ES176 and record encrypted password



b) On the Settings tab, enter the fully qualified domain name, cleanup account user name and the encrypted password recorded in step 4a

c) Set userCleanup to true to enable the process to clean up user accounts. Set user cleanup parameters

d) Set userDisabledOUto value recorded in step 2

e) Set computerCleanup to true to enable the process to clean up user accounts. Set computer cleanup parameters

f) Set computerDisabledOU to value recorded in step3



g) On the userExcludedDNs tab, specify any distinguished name of an organizational unit that should be excluded from the cleanup process  (+ or INS to add, - or DEL to delete, Enter or double-click to edit)



g) On the computerExcludedDN stab, specify any distinguished name of an organizational unit that should be excluded from the cleanup process (+ or INS to add, - or DEL to delete, Enter or double-click to edit)



h) Schedule ADCleanup.exe to execute via a scheduled task. Upon every execution, the tool will clean up user and computer objects as per your configuration


Conclusion


Using this process, (or one similar) will keep Active Directory clean from the unused computer and user objects, and increases server security in the process.


Please do not forget to press the "Thumb's Up" button if this article was helpful and valuable for EE members.


It also provides me with positive feedback. Thank you!

7
Comment
  • 5
  • 3
  • 2
  • +3
13 Comments
 
LVL 2

Expert Comment

by:Sam Bloom
You can also look for unused OUs and empty groups in AD. Here's a PowerShell script that can help with that: http://www.adaxes.com/blog/cleanup-active-directory-with-powershell.html
1
 
LVL 8

Expert Comment

by:Senior IT System Engineer
Rather than deleting the unused AD account and Computer object, is it possible to just move it into certain OU ?
0
 
LVL 42

Author Comment

by:Shaun Vermaak
Hi Senior IT System Engineer. I will update article because this might be a little unclear, you can achieve that desired effect by setting the DeleteLimits to 0
1
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
LVL 23

Expert Comment

by:Alan
Hi Shaun,

Would it be possible to just get a report of exceptions, rather than deleting or moving anything?

Thanks,

Alan.
1
 
LVL 42

Author Comment

by:Shaun Vermaak
Hi Alan,

Yes, you can. Set the delete and disable values to 0 and enable verbose

Regards
Shaun
0
 
LVL 23

Expert Comment

by:Alan
Hi Shaun,

From:  Shaun Vermaak


Hi Alan,

Yes, you can. Set the delete and disable values to 0 and enable verbose

Regards
Shaun

Brilliant - great tool :-)

Thanks,

Alan
1
 

Expert Comment

by:geekgirl472
Is there a way to delete the inactive users' home folders as well?

I'd like to get a report based on your instructions above and then go back and delete inactive user accounts along with their home folders as well.

Thank you very much!
0
 
LVL 42

Author Comment

by:Shaun Vermaak
I have a tool UserResourceCleanup that can do this. If you want I can post as an article?
1
 

Expert Comment

by:geekgirl472
Yes, please. I would be very grateful. Thank you!
0
 
LVL 42

Author Comment

by:Shaun Vermaak
Here is link to user data cleanup tool (UserResourceCleanup) https://www.experts-exchange.com/articles/31021/UserResourceCleanup.html
1
 

Expert Comment

by:Ann Abed
Thank you everyone. This definitely help me get started.
appreciate all the input :)
1
 
LVL 23

Expert Comment

by:Alan
Hi Ann,

You have posted here on Shaun's article, but you also need to close the question.

Thanks,

Alan.
1
 
LVL 42

Author Comment

by:Shaun Vermaak
Comment and suggestions welcome. Let me know if you need any help ;)
1

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Join & Write a Comment

This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month