Cleaning Up Your Company’s Active Directory: A Comprehensive Guide

By Style Sync
| Published on
e5add9b7-24cc-4476-ba17-6ea93b12ddf2

In this post, we’ll take a deep dive into cleaning up Active Directory (AD), In this guide, we’ll share a real-world scenario of Active Directory cleanup, provide step-by-step instructions, and walk you through using PowerShell to identify and remove inactive devices, users, and stale DNS records, as well as verify Active Directory replication health.

Introduction

Active Directory (AD) is like the heart of a company’s IT structure. Despite its age, it remains central to authentication, authorisation, and network management for most organisations. Over the years, AD accumulates old, unused accounts, computer objects, and DNS records—much like how a museum gathers artefacts. From time to time, these artefacts need to be reviewed, cleaned, or even removed. This helps improve performance, tighten security, and reduce clutter.

In this blog, I’ll walk you through a scenario where I led a project to clean up a company’s Active Directory. By treating AD like a museum that required periodic “dusting” and reorganisation, I tackled old devices, outdated user accounts, stale DNS entries, and, finally, verified replication health to ensure AD’s optimal performance.

Setting the Scene

Imagine taking over an Active Directory that’s been around for over a decade. You’re tasked with optimising it, and it quickly becomes clear that it’s filled with accounts for users who left years ago, devices that no longer exist, and DNS records pointing to nowhere. Cleaning it up becomes essential not only to streamline management but to secure the environment.

With this challenge in mind, let’s go through the process of cleaning up AD step-by-step.

Step 1: Identifying Old Computer Accounts

First, we need to identify and remove computer accounts that haven’t connected in over a year. This helps eliminate stale records and reduce the attack surface.

PowerShell Script to List Inactive Computers

The following PowerShell script will list all computer accounts that haven’t connected since January 1, 2024.

# Define date threshold
$thresholdDate = (Get-Date).AddYears(-1)
# Find inactive computers
Get-ADComputer -Filter {LastLogonDate -lt $thresholdDate} -Property Name, LastLogonDate | 
    Select-Object Name, LastLogonDate | Sort-Object LastLogonDate

This script queries AD for all computers whose LastLogonDate is older than one year. The thresholdDate variable is set to the date one year ago, ensuring you only target devices that have been inactive for a significant period.

Deleting Inactive Computers

Once you’ve verified the list, you can delete these inactive computers with another PowerShell command:

# Delete inactive computers
Get-ADComputer -Filter {LastLogonDate -lt $thresholdDate} | 
    Remove-ADObject -Confirm:$false

Use caution with this command; once executed, these computer accounts will be permanently removed.

Step 2: Cleaning Up Stale User Accounts

Just like computers, old user accounts can clutter AD and pose security risks. Users who have left the company or moved to different roles often leave behind inactive accounts.

PowerShell Script to List Inactive Users

The following script will identify user accounts that haven’t been updated since January 1, 2024:

# Find inactive users
Get-ADUser -Filter {LastLogonDate -lt $thresholdDate} -Property Name, LastLogonDate | 
    Select-Object Name, LastLogonDate | 
    Sort-Object LastLogonDate

This script returns a list of users who haven’t logged in over the past year.

Deleting Inactive Users

After reviewing the list, delete these inactive user accounts:

# Delete inactive users
Get-ADUser -Filter {LastLogonDate -lt $thresholdDate} | 
    Remove-ADUser -Confirm:$false

Step 3: Removing Stale DNS Records

DNS records for computers that no longer exist or have been renamed can create confusion and cause issues with name resolution.

PowerShell Script to List and Remove Stale DNS Records

This script will locate DNS records that haven’t been updated in over a year and remove them.

# Define DNS zone
$zoneName = "yourdomain.local"
# Get stale DNS records
$staleRecords = Get-DnsServerResourceRecord -ZoneName $zoneName | 
    Where-Object {$_.Timestamp -lt $thresholdDate}
# Display stale DNS records
$staleRecords | Select-Object HostName, RecordType, Timestamp
# Remove stale DNS records
$staleRecords | ForEach-Object { 
    Remove-DnsServerResourceRecord -ZoneName $zoneName -Record $_ -Confirm:$false 
}

Replace <yourdomain.local> with your actual DNS zone name. This script first lists stale DNS records, allowing you to review them before deletion.

Step 4: Verifying Active Directory Replication Health

Once the cleanup is done, it’s essential to check that Active Directory replication is functioning correctly to ensure that changes have propagated across all domain controllers.

PowerShell Script to Check Replication Health

Use the following script to perform a quick replication health check:

# Check AD replication health
Get-ADReplicationPartnerMetadata -Target (Get-ADDomainController -Discover -NextClosestSite) | 
    Select-Object Server, LastReplicationAttempt, LastReplicationSuccess

This command checks the last replication status between domain controllers, showing when replication last succeeded or failed.

For a more detailed replication health report, use:

# Detailed replication check
Repadmin /replsummary

This command gives a comprehensive view of replication success and failure counts for all domain controllers.

Additional Tips and Best Practices

  • Backup AD: Before performing any cleanup tasks, it is essential to back up the company’s Active Directory. This ensures that, in case of any issues, you can restore critical directory information and maintain continuity.
  • Audit Before Deletion: Before you delete any objects, it’s a good idea to perform an audit. Export lists of inactive users, computers, and DNS records and verify them with relevant departments.
  • Use AD Cleanup Tools: Consider using third-party tools
  • Automate with Scheduled Tasks: If inactive objects are a recurring issue, automate this process using scheduled PowerShell tasks.

Conclusion

Regular Active Directory cleanup is crucial for efficient IT operations and strong security posture. By removing inactive user accounts, outdated computer records, and stale DNS entries, you can reduce the clutter in AD, improve performance, and strengthen your network’s defenses. The cleanup also helps prevent replication issues by reducing the volume of objects that must be replicated across domain controllers.

With the provided PowerShell scripts and systematic approach, you now have a blueprint to clean up your Active Directory environment. Remember, AD maintenance should be ongoing—like a museum, it requires regular upkeep to prevent it from becoming a relic of outdated and unused entries.

 

What do you think?

What do you think?

2 Comments:
November 13, 2024

Hal, would you recommend ensuring you have a backup of the current AD environment before you start deleting objects? You mention auditing before deleting…

November 13, 2024

Hi @secretlykawaii688a153c63, Absolutely, this is a very important task. I’ve added it to make sure it’s clear. Thanks for highlighting it!

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to Our Newsletter

Table of Contents

Related Insights