Keeping your Active Directory nice and tidy is a good habit to have. It not only makes everyday management tasks easier, but it’s also a way of improving security. Stale objects can impose a real threat that can lead to serious security breaches. Many real world IT departments suffer from problems like that every day. But what can you do to prevent that?

Cleanup!

User Cleanup

Identifying and dealing with stale user accounts is one of the most important cleanup activities. The following principle applies: if something is not used, it is not needed. And everything that is not needed must be removed. Especially if it has access rights associated with it.

With Adaxes it is very easy to start managing inactive user accounts. All you need to do is activate a built-in scheduled task. By default it will search for users that have been inactive for more than 12 weeks and properly deprovision them (this can include disabling the user, moving it to a specific OU, removing from groups, archiving Exchange mailbox, revoking Office 365 licenses, etc). It also includes an approval step, so that no user will be deprovisioned without a permission from a responsible authority. By default approval requests will be sent to the user’s manager and the owner of the OU that the user is in.

Usually in cleanup scenarios inactive users are identified by looking at the LastLogonTimeStamp attribute.This is ok, but there are some cases when this might return not the exact results you want. That's why Adaxes provides you with a more sophisticated algorithm. It takes into account the creation date, last password reset date and last logon date. Adaxes then picks the most recent of those and calculates current inactivity period.

Customization

The great thing about Adaxes is that it doesn’t limit you to the built-in functionality. You can basically do whatever you want with both the conditions that define inactive users and the actions that will be executed once stale accounts are identified.

For example, once a user is marked inactive, you can perform all sorts of actions on it: disable the account, move it into a specific OU, revoke all permissions, reset password to a randomly generated one, write the deprovisioning date into a specific attribute, etc.

If the deprovisioned account is not needed for another year, a scheduled task can then delete it. Of course, all time periods can be set according to the specific policies of your particular company.

Other Types of Users to Cleanup

Inactive users, that are most probably left due to improper deprovisioning, are very important subjects of cleanup activities, but there are also other types of user accounts that you should be looking at.

Administrators not in use. It is strongly advised to keep administrative accounts disabled at all times unless they are currently needed. For that purpose you can set a scheduled task that will be running over all enabled administrative accounts and disable them, but only after approval is granted from a person who is responsible for those accounts. This can keep managers alert and constantly let them know, what’s going on in their environment.

It is strongly advised to keep administrative accounts disabled at all times unless they are currently needed. For that purpose you can set a scheduled task that will be running over all enabled administrative accounts and disable them, but only after approval is granted from a person who is responsible for those accounts. This can keep managers alert and constantly let them know, what’s going on in their environment. Users on long leave. If there are users that won’t need access to their accounts for a long time, it is reasonable to keep those disabled. For these purposes you can store the leave date and return date in users’ attributes. A scheduled task will then make sure that during the leave period accounts will be kept disabled and automatically re-enable them once the return date is reached.

If there are users that won’t need access to their accounts for a long time, it is reasonable to keep those disabled. For these purposes you can store the leave date and return date in users’ attributes. A scheduled task will then make sure that during the leave period accounts will be kept disabled and automatically re-enable them once the return date is reached. Expired users. Expired users is also a good thing to monitor in your system. Adaxes has a built-in condition that can identify user accounts that remained expired for a certain amount of time. So, for example, if an account is expired for more than 7 days, you can move it to a separate OU. If the account remains expired for another 3 months, you can execute proper deprovisioning procedures on it.

Computer Cleanup

Cleaning up inactive computer accounts is actually very similar to inactive users. Adaxes also features a built-in scheduled task for this.

To avoid situations when a machine that is constantly running for a long time is identified as stale, Adaxes adds a ping to the built-in inactivity identification procedure. This allows you exclude servers and other always-on machines from the scope of the cleanup procedures.

Again, all time periods as well as actions executed by the scheduled task are completely customizable, so you can fit the exact needs of your particular environment.

Groups Cleanup

Active Directory groups are mostly used to grant permissions and access rights. Often there are situations when certain groups are no longer needed. It is quite normal to see, that all group members are revoked, but the group itself is left in the system.

If you do care about security in your environment, obviously you don’t want empty groups with access rights hanging around. Thus you need to establish a procedure that will find those no longer needed groups and properly treat them.

Finding empty groups with Adaxes is an easy thing to set up. All you need to do is to set up a scheduled task that will act on groups and add a condition ‘if Members attribute is empty'.

What to Do With Empty Groups

After you identify empty groups, the first way to go is to set a date when it was first marked as empty. If it remains so for, e.g. one month, just delete the group.

However, some admins argue that it’s not wise to delete groups (or in fact any security enabled objects) from Active Directory. You never know when you’ll stumble over SIDs in DACL entries that you won’t be able to resolve if you chose to delete them.

So there’s also a second way to properly treat empty AD security groups. You can convert them to distribution groups and move to a specific container.

Organizational Unit Cleanup

Empty OUs are also a thing you might want to take care of. Similarly to the example with groups, you can write the date when the OU was first identified as empty, and if it remains in that state for a certain period of time, you can delete the OU.

However, checking if OU does have children is a bit trickier than checking the members attribute of a group. But nothing is impossible when using Adaxes. All actions can be ruled not only by predefined conditions that are available from the UI, but also use PowerShell scripts.

To check if the OU is empty you simply need to use a script that is available from Adaxes Script Repository. After that all actions are pretty much the same as with users, groups or computers.

Edit Remove PowerShell $searcher = $Context.TargetObject $searcher.SearchFilter = "(objectClass=*)" $searcher.SearchScope = "ADS_SCOPE_ONELEVEL" $searcher.SizeLimit = 1 try { $searchResult = $searcher.ExecuteSearch() $objects = $searchResult.FetchAll() $Context.ConditionIsMet = !($objects.Count -eq 0) } finally { $searchResult.Dispose() }

Other Useful Cleanup Activities

In this article we have discussed the most used cleanup activities that you can perform. But Adaxes doesn’t limit you to just those. E.g. you can automatically archive inactive Exchange mailboxes, or, in fact, define any custom conditions and actions using either built-in building blocks that Adaxes provides you with or your own scripts.

Apart from performing cleanup activities for you Adaxes also has got capabilities to keep you aware of what is going on in your environment. With its reporting mechanism you can either manually use it via the Web UI or have your chosen reports automatically delivered to you by email. Whatever suits you most.

Conclusion

Each IT environment should only have the objects that are needed at the moment. Anything that is not needed should either be disabled, removed or properly deprovisioned. Not having inactive users, computers, groups, OUs or other objects indicates a safe and healthy AD.

With Adaxes keeping your Active Directory clean is just a piece of cake. Not only can you have built-in cleanup activities, but you essentially have a toolset to define your inactive objects and a set of actions that you need to execute. Practically there are no limits to what you can do. No matter, how complex your environment is, Adaxes will live up to the challenge.