Active Directory Cleanup

STEALTHbits Active Directory Cleanup Tool will help you reduce risk, ensure compliance and increase IT efficiency by eliminating stale objects, mitigating insecure conditions and ensuring attributes are populated.

Request a Free Trial

Powered by ChronoForms - ChronoEngine.com

STEALTHbits’ Active Directory Clean-up Solution

Cleaning up Active Directory is more than just finding and removing stale objects. For AD to be truly clean, it also needs to be free of toxic conditions like token bloat and circularly nested groups, rich with accurate object attribute details, and configured properly from top to bottom.

Explore STEALTHbits’ reports and capabilities to see how easy it can be to finally bring Active Directory under control while improving security, addressing compliance needs and making IT more efficient.

Users

Users

Groups

Groups

Computers

Computers

GPOs

GPOs

Domains

Domains

Clean up Stale and Unneeded Active Directory User Objects


Find Stale User Accounts

Stale user accounts not only get in the way of management and reporting, they represent an attack surface that can be used against you. STEALTHbits Active Directory Cleanup Tool allows you not only to find and report on stale users, it provides a customizable workflow which allows you to automatically move them to a staging OU, understand the impact of removing them and bulk delete them when you are ready.

Back To Top

Active Directory Cleanup - Find Stale User Accounts

Identify Duplicate User Accounts

Users can end up with multiple accounts after changing roles, in multiple domains or have a second account to use for performing tasks with elevate privilege. STEALTHbits Active Directory Cleanup Tool finds these accounts are so you can clean them up where necessary and eliminate complexity and confusion in Active Directory reports.

Back To Top

Active Directory Cleanup - Identify Duplicate User Accounts

Find Orphaned User Accounts

Finding and remediating stale user accounts will often result in identifying accounts also that have stale managers. With the Active Directory Cleanup Tool identifying and remediating accounts that need to have their manager updated can be easily accomplished.

Back To Top

Active Directory Cleanup - Find Orphaned User Accounts

Incomplete User Account Attributes

Blank attributes or accounts with an incomplete set of attributes can cause problems with applications or mean information required for account management is not available. Active Directory Cleanup includes not only deleting unnecessary objects, but also making sure the objects that are there are properly populated with required attributes and the information in them.

Back To Top

Active Directory Cleanup - Incomplete User Account Attributes

Users Leveraging Historical SIDs

Historical SIDs resulting from years of organizing and reorganizing domains can lead to token bloat and broken access control. STEALTHbits Active Directory Cleanup Tool helps identify and clean up Historical SIDs to improve performance and help ensure users have access to resources they need and are entitled to.

Back To Top

Active Directory Cleanup - Users Leveraging Historical SIDs

Large User Token Sizes

If tokens become too large, users can receive error messages during login and applications using Kerberos authentication can fail. STEALTHbits Active Directory Cleanup Tool can estimate token size to find users and principals who’s tokens are approaching their limit so you can reduce group size and cleanup SID history to prevent problems before they occur.

Back To Top

Active Directory Cleanup - Large User Token Sizes

Disabled AD Account Listing

Disabled accounts, like stale accounts, create unnecessary complexity, show up in reports and audits and add to vulnerability. Reporting on these accounts so they are understood, removed where not need and enabled where they are helps ensure the health of Active Directory.

Back To Top

Active Directory Cleanup - Disabled AD Account Listing

Users with Expired Passwords

Password maintenance is a significant problem in many environments. If passwords are expired but remain unchanged, this adds risk and could indicate an account that is not used frequently and requires further investigation. Any Active Directory Cleanup project should find these accounts and determine if they are needed.

Back To Top

Active Directory Cleanup - Users with Expired Passwords

Inactive Users in AD

Inactive users add complexity to management and reporting, and increase security risk. STEALTHbits Active Directory Cleanup Tool allows you not only to find and report on inactive users, it provides a customizable workflow which allows you to automatically move them to a staging OU, understand the impact of removing them and automatically bulk delete them when you are ready.

Back To Top

Active Directory Cleanup - Inactive Users in AD

Clean up Stale and Unneeded Active Directory Group Objects


Find Empty AD Groups

Empty AD groups should be found and removed as an empty group serves no purpose. STEALTHbits Active Directory Cleanup Tool provides a report of empty groups making the process easy.

Back To Top

Active Directory Cleanup - Find Empty AD Groups

Circularly Nested Groups in AD

Circular nesting in a group means it’s purpose and structure is misunderstood. The Active Directory Cleanup solution includes a report to find these groups so the situation can be remediated.

Back To Top

Active Directory Cleanup - Circularly Nested Groups in AD

Stale AD Group Listing

A group is considered stale if contains stale users. Removing the groups or removing the stale users from the group is an important part of an Active Directory Cleanup project and this listing makes them simple to find.

Back To Top

Active Directory Cleanup - Stale AD Group Listing

Locate Large AD Security Groups

If a large group is used to assign permissions or application access control, it becomes hard to understand if only the right users have access. An Active Directory Cleanup project should evaluate the purpose of these larger groups to see if smaller groups should be used to help enforce a least privilege model.

Back To Top

Active Directory Cleanup - Locate Large AD Security Groups

Nested Groups in AD

Groups within groups make it hard to understand the access granted by these groups. Nesting is also one way an attacker can hider their presence and persist in an environment. The Active Directory Cleanup Tool provides a nested groups report so that that any nested group can be reviewed and effective membership evaluate.

Back To Top

Active Directory Cleanup - Nested Groups in AD

Mail-Enabled Security Groups & Distribution Lists

Any Active Directory Cleanup project will look at distribution lists and mail enabled groups to determine who needs to get what information. These groups are often bloated by years of additions without any removal of users who no longer need to be in them.

Back To Top

Active Directory Cleanup - Mail-Enabled Security Groups & Distribution Lists

Most Probable Group Owners

To perform an Active Directory Cleanup, consulting a group owner is often required to determine the purpose of a group and the current required members. Where a Group Owner attribute is not set, this report can infer the owner through the attributes of the effective members.

Back To Top

Active Directory Cleanup - Most Probable Group Owners

Single User Groups in AD

Like empty AD groups, single user should be found and removed as they likely serve no purpose. STEALTHbits Active Directory Cleanup Tool provides a report of these groups making the process easy.

Back To Top

Active Directory Cleanup - Single User Groups in AD

Find Duplicate Groups in AD

Identifying groups with identical membership is another part of Active Directory Cleanup. These groups can result from multiple iterations of projects involving the same people not knowing the groups are already creatied. Finding these groups with a single report allows them to be consolidated into one group that serves the same purpose and reduce the risk that one of the groups is compromised.

Back To Top

Active Directory Cleanup - Find Duplicate Groups in AD

Find Where AD Groups are Used

An Active Directory Cleanup Tool should make it easy to found out where AD Groups are used. With this information you can cleanup groups that are not used, while avoiding any unexpected impact from cleaning up a group that is in use.

Back To Top

Active Directory Cleanup - Find Where AD Groups are Used

What Our Customers Are Saying

Microsoft Ignite - Charlie Baltazar

Video

Learn More

Microsoft Ignite - Demetrius Moore

Video

Learn More

Microsoft Ignite - Scott Eftink

Video

Learn More

Microsoft Ignite - Zille Eizad & Salman Zafar

Video

Learn More

 
 
 
 

Resources

StealthAUDIT for Active Directory

Data Sheet

Learn More

Active Directory Maintenance and Cleanup

White Paper

Learn More

Clean Up Active Directory Once and for All

Webinar

Learn More

Free Risk Assessment
Free Trial Request
STEALTHbits Demo Request
Browse Resource Library