Cleaning up Active Directory is more than just finding and removing stale objects. For AD to be truly clean, it also needs to be free of toxic conditions like token bloat and circularly nested groups, rich with accurate object attribute details, and configured properly from top to bottom.
Explore Stealthbits’ reports and capabilities to see how easy it can be to finally bring Active Directory under control while improving security, addressing compliance needs and making IT more efficient.
Stale user accounts not only get in the way of management and reporting, they represent an attack surface that can be used against you. Stealthbits Active Directory Cleanup Tool allows you not only to find and report on stale users, it provides a customizable workflow which allows you to automatically move them to a staging OU, understand the impact of removing them and bulk delete them when you are ready.
Users can end up with multiple accounts after changing roles, in multiple domains or have a second account to use for performing tasks with elevate privilege. Stealthbits Active Directory Cleanup Tool finds these accounts are so you can clean them up where necessary and eliminate complexity and confusion in Active Directory reports.
Finding and remediating stale user accounts will often result in identifying accounts also that have stale managers. With the Active Directory Cleanup Tool identifying and remediating accounts that need to have their manager updated can be easily accomplished.
Blank attributes or accounts with an incomplete set of attributes can cause problems with applications or mean information required for account management is not available. Active Directory Cleanup includes not only deleting unnecessary objects, but also making sure the objects that are there are properly populated with required attributes and the information in them.
Historical SIDs resulting from years of organizing and reorganizing domains can lead to token bloat and broken access control. Stealthbits Active Directory Cleanup Tool helps identify and clean up Historical SIDs to improve performance and help ensure users have access to resources they need and are entitled to.
If tokens become too large, users can receive error messages during login and applications using Kerberos authentication can fail. Stealthbits Active Directory Cleanup Tool can estimate token size to find users and principals who’s tokens are approaching their limit so you can reduce group size and cleanup SID history to prevent problems before they occur.
Disabled accounts, like stale accounts, create unnecessary complexity, show up in reports and audits and add to vulnerability. Reporting on these accounts so they are understood, removed where not need and enabled where they are helps ensure the health of Active Directory.
Password maintenance is a significant problem in many environments. If passwords are expired but remain unchanged, this adds risk and could indicate an account that is not used frequently and requires further investigation. Any Active Directory Cleanup project should find these accounts and determine if they are needed.
Inactive users add complexity to management and reporting, and increase security risk. Stealthbits Active Directory Cleanup Tool allows you not only to find and report on inactive users, it provides a customizable workflow which allows you to automatically move them to a staging OU, understand the impact of removing them and automatically bulk delete them when you are ready.
Empty AD groups should be found and removed as an empty group serves no purpose. Stealthbits Active Directory Cleanup Tool provides a report of empty groups making the process easy.
Circular nesting in a group means it’s purpose and structure is misunderstood. The Active Directory Cleanup solution includes a report to find these groups so the situation can be remediated.
A group is considered stale if contains stale users. Removing the groups or removing the stale users from the group is an important part of an Active Directory Cleanup project and this listing makes them simple to find.
If a large group is used to assign permissions or application access control, it becomes hard to understand if only the right users have access. An Active Directory Cleanup project should evaluate the purpose of these larger groups to see if smaller groups should be used to help enforce a least privilege model.
Groups within groups make it hard to understand the access granted by these groups. Nesting is also one way an attacker can hider their presence and persist in an environment. The Active Directory Cleanup Tool provides a nested groups report so that that any nested group can be reviewed and effective membership evaluate.
Any Active Directory Cleanup project will look at distribution lists and mail enabled groups to determine who needs to get what information. These groups are often bloated by years of additions without any removal of users who no longer need to be in them.
To perform an Active Directory Cleanup, consulting a group owner is often required to determine the purpose of a group and the current required members. Where a Group Owner attribute is not set, this report can infer the owner through the attributes of the effective members.
Like empty AD groups, single user should be found and removed as they likely serve no purpose. Stealthbits Active Directory Cleanup Tool provides a report of these groups making the process easy.
Identifying groups with identical membership is another part of Active Directory Cleanup. These groups can result from multiple iterations of projects involving the same people not knowing the groups are already creatied. Finding these groups with a single report allows them to be consolidated into one group that serves the same purpose and reduce the risk that one of the groups is compromised.
An Active Directory Cleanup Tool should make it easy to found out where AD Groups are used. With this information you can cleanup groups that are not used, while avoiding any unexpected impact from cleaning up a group that is in use.