Introducing StealthAUDIT 11.5! Complete your cloud security puzzle. LEARN MORE

ACTIVE DIRECTORY CLEANUP

Stealthbits Active Directory Cleanup Tool will help you reduce risk, ensure compliance and increase IT efficiency by eliminating stale objects, mitigating insecure conditions and ensuring attributes are populated.

    Request A Free Trial


    Stealthbits’ ACTIVE DIRECTORY CLEAN-UP SOLUTION

    Cleaning up Active Directory is more than just finding and removing stale objects. For AD to be truly clean, it also needs to be free of toxic conditions like token bloat and circularly nested groups, rich with accurate object attribute details and configured properly from top to bottom.

    Explore Stealthbits’ reports and capabilities to see how easy it can be to finally bring Active Directory under control while improving security, addressing compliance needs and making IT more efficient.

    USERS

    GROUPS

    COMPUTERS

    GPOS

    DOMAINS

    CLEAN UP STALE AND UNNEEDED ACTIVE DIRECTORY USER OBJECTS


    FIND STALE USER ACCOUNTS

    FIND STALE USER ACCOUNTS

    Stale user accounts not only get in the way of management and reporting, but they also represent an attack surface that can be used against you. Stealthbits Active Directory Cleanup Tool allows you not only to find and report on stale users, but it also provides a customizable workflow which allows you to automatically move them to a staging OU, understand the impact of removing them, and bulk delete them when you are ready.
    IDENTIFY DUPLICATE USER ACCOUNTS

    IDENTIFY DUPLICATE USER ACCOUNTS

    Users can end up with multiple accounts after changing roles, in multiple domains or have a second account to use for performing tasks with elevate privilege. Stealthbits Active Directory Cleanup Tool finds these accounts are so you can clean them up where necessary and eliminate complexity and confusion in Active Directory reports.
    FIND ORPHANED USER ACCOUNTS

    FIND ORPHANED USER ACCOUNTS

    Finding and remediating stale user accounts will often result in identifying accounts also that have stale managers. With the Active Directory Cleanup Tool identifying and remediating accounts that need to have their manager updated can be easily accomplished.
    INCOMPLETE USER ACCOUNT ATTRIBUTES

    INCOMPLETE USER ACCOUNT ATTRIBUTES

    Blank attributes or accounts with an incomplete set of attributes can cause problems with applications or mean information required for account management is not available. Active Directory Cleanup includes not only deleting unnecessary objects but also making sure the objects that are there are properly populated with required attributes and the information in them.
    USERS LEVERAGING HISTORICAL SIDS

    USERS LEVERAGING HISTORICAL SIDS

    Historical SIDs resulting from years of organizing and reorganizing domains can lead to token bloat and broken access control. Stealthbits Active Directory Cleanup Tool helps identify and clean up Historical SIDs to improve performance and help ensure users have access to resources they need and are entitled to.
    LARGE USER TOKEN SIZES

    LARGE USER TOKEN SIZES

    If tokens become too large, users can receive error messages during login, and applications using Kerberos authentication can fail. Stealthbits Active Directory Cleanup Tool can estimate the token size to find users and principals whose tokens are approaching their limit so you can reduce group size and cleanup SID history to prevent problems before they occur.
    DISABLED AD ACCOUNT LISTING

    DISABLED AD ACCOUNT LISTING

    Disabled accounts, like stale accounts, create unnecessary complexity, show up in reports and audits and add to vulnerability. Reporting on these accounts so they are understood, removed where not need and enabled where they help ensure the health of Active Directory.
    USERS WITH EXPIRED PASSWORDS

    USERS WITH EXPIRED PASSWORDS

    Password maintenance is a significant problem in many environments. If passwords are expired but remain unchanged, this adds risk and could indicate an account that is not used frequently and requires further investigation. Any Active Directory Cleanup project should find these accounts and determine if they are needed.
    INACTIVE USERS IN AD

    INACTIVE USERS IN AD

    Inactive users add complexity to management and reporting and increase security risk. Stealthbits Active Directory Cleanup Tool allows you not only to find and report on inactive users, but it also provides a customizable workflow which allows you to automatically move them to a staging OU, understands the impact of removing them and automatically bulk delete them when you are ready.

    CLEAN UP STALE AND UNNEEDED ACTIVE DIRECTORY GROUP OBJECTS


    FIND EMPTY AD GROUPS

    FIND EMPTY AD GROUPS

    Empty AD groups should be found and removed as an empty group serves no purpose. Stealthbits Active Directory Cleanup Tool provides a report of empty groups making the process easy.
    CIRCULARLY NESTED GROUPS IN AD

    CIRCULARLY NESTED GROUPS IN AD

    Circular nesting in a group means it’s purpose and structure is misunderstood. The Active Directory Cleanup solution includes a report to find these groups so the situation can be remediated.
    STALE AD GROUP LISTING

    STALE AD GROUP LISTING

    A group is considered stale if contains stale users. Removing the groups or removing the stale users from the group is an important part of an Active Directory Cleanup project and this listing makes them simple to find.
    LOCATE LARGE AD SECURITY GROUPS

    LOCATE LARGE AD SECURITY GROUPS

    If a large group is used to assign permissions or application access control, it becomes hard to understand if only the right users have access. An Active Directory Cleanup project should evaluate the purpose of these larger groups to see if smaller groups should be used to help enforce a least privilege model.
    NESTED GROUPS IN AD

    NESTED GROUPS IN AD

    Groups within groups make it hard to understand the access granted by these groups. Nesting is also one way an attacker can hider their presence and persist in an environment. The Active Directory Cleanup Tool provides a nested groups report so that any nested group can be reviewed and effective membership evaluate.
    MAIL-ENABLED SECURITY GROUPS & DISTRIBUTION LISTS

    MAIL-ENABLED SECURITY GROUPS & DISTRIBUTION LISTS

    Any Active Directory Cleanup project will look at distribution lists and mail enabled groups to determine who needs to get what information. These groups are often bloated by years of additions without any removal of users who no longer need to be in them.
    MOST PROBABLE GROUP OWNERS

    MOST PROBABLE GROUP OWNERS

    To perform an Active Directory Cleanup, consulting a group owner is often required to determine the purpose of a group and the current required members. Where a Group Owner attribute is not set, this report can infer the owner through the attributes of the effective members.
    SINGLE USER GROUPS IN AD

    SINGLE USER GROUPS IN AD

    Like empty AD groups, the single user should be found and removed as they likely serve no purpose. Stealthbits Active Directory Cleanup Tool provides a report of these groups making the process easy.
    FIND DUPLICATE GROUPS IN AD

    FIND DUPLICATE GROUPS IN AD

    Identifying groups with identical membership is another part of Active Directory Cleanup. These groups can result from multiple iterations of projects involving the same people not knowing the groups are already created. Finding these groups with a single report allows them to be consolidated into one group that serves the same purpose and reduce the risk that one of the groups is compromised.
    FIND WHERE AD GROUPS ARE USED

    FIND WHERE AD GROUPS ARE USED

    An Active Directory Cleanup Tool should make it easy to found out where AD Groups are used. With this information, you can cleanup groups that are not used, while avoiding any unexpected impact from cleaning up a group that is in use.

    LEARN ABOUT StealthAUDIT FOR ACTIVE DIRECTORY

    © 2022 Stealthbits Technologies, Inc.