Automating Active Directory Cleanup

Featured article by Anton Pozdnyakov, CMO at Softerra

Managing Active Directory isn’t rocket science. Of course, there are difficult parts, but most of the time it’s about getting the basics right and following straightforward routines. If you keep things organized and do all the simple things on time, you have 90% of success. But if you don’t, you won’t get far, no matter how complex and sophisticated your toolbox is.

One of the things you should be looking at in the first place is AD hygiene. It’s as essential as washing your hands after visiting the bathroom. The main idea behind it is very simple, you need to keep your Active Directory environment clean and tidy and don’t let piles of unused objects to create an unmanageable mess.

Why Automate AD Cleanup

Stale AD objects are bad. Not only do they create unnecessary complications in everyday management, but they can also be a security threat. It’s easy to compromise an unused account without anybody even noticing, so they are a very common target for all sorts of attacks.

To deal with this problem you need to regularly look for any stale user and computer accounts and remove them from your system. You might be ok to start doing it manually, but if you have an AD environment of a reasonable size, at some point you will come to an understanding that it’s a straightforward and repetitive task. Thus, you can automate it. And the rule of thumb is that if something can be automated, it must be automated.

Where to Start

There are lots of ways to start automating AD cleanup. The bottom line is the following: allocate the biggest problem, solve it, repeat.

The most sensible thing to start is removing inactive users. They are the most common thing accumulating in most environments. The absolute first thing you need to do before even implementing any sort of automation is defining ‘inactivity’. For the sake of the example, let’s assume that you want to remove any user accounts that did not log in for the last 60 days. The easiest was to see it is looking at the LastLogonTimeStamp attribute. However, you should be careful about it. There’s a possibility that some service accounts or those that have never yet logged in falling under these conditions. Always doublecheck such things.

Once obsolete user accounts are found, you need to execute full deprovisioning procedures on them: remove all access rights, revoke licenses, disable, move to a separate OU and keep them there for a while. If a certain amount of time passes, and nobody claims them, you can delete them if that’s allowed by your company’s policies. As simple as that.

For additional security you can add an approval step to the procedure. This way you can automatically look for unused accounts, identify them, but before deprovisioning you can ask for an approval from a responsible member of IT staff. This way you can be sure that everything is always under control.

Which Tools to Use

The last thing you need to do is chose the right tools to execute AD cleanup on a regular basis. You can either go for PowerShell and craft a solution yourself, which is a perfect choice for smaller Active Directory shops, or you can go for third-party tools like Adaxes that have a lot of functionality, like automated complex offboarding procedures or approval-based-workflows, already built-in.

By keeping your Active Directory clean from stale objects, you can make it a safer environment that’s much easier to manage. So, why not start doing it right now?

Anton Pozdnyakov is CMO at Softerra. Softerra provides Adaxes, a management and automation solution for Active Directory, Exchange and Office 365 environments. It allows organizations of all sizes to reduce the workload on IT departments, minimize time wastages, increase security and much more. Try it yourself with a free 30-day trial.