Active Directory Cleanup – Detecting and Clean Up Inactive Accounts Regularly

                            Automate cleanup of unwanted user and computer accounts
Inactive user accounts in your Active Directory are just like an open invitation to hackers to violate your IT security policies and break into your secured network. Often, these accounts belong to users who’ve either left the company temporarily or permanently or those who may have moved to a different place where they don’t need access to their older accounts. Whilst some of these AD users & computers in your network domain may also go unnoticed by your system administrators, enterprises don’t pay attention to the security threats associated with dormant user accounts unless they actually suspect a hacker attempting to impersonate employees who haven’t logged on into their computers for a considerable period of time.

Hence, stale user accounts in the Active Directory is one of the biggest concerns for IT firms that are not yet utilizing any Identity Management System and Access Control to identify and regularly clean up inactive Active Directory accounts present in a particular domain. So, first of all, the question is.

How to detect Passive accounts in your Active Directory?

With the growth of your organization and the reduction/expansion of its technology infrastructure, maintaining a healthy Active Directory record is extremely important. In order to suspect potential accounts that are inactive, you can perform the following steps -:

1)Check for those user accounts where the computer account password has not been reset for over a considerable period of time, say for 30 days, 60 days or 90 days.
2)Obtain a list of all machines in a table that have not had a password reset in over 90 days including the Name, Distinguished Name and Password Last Set Date and Time.
3)You can also use the following ‘dsquery’ commands to detect inactive user and computers accounts in your AD.

a)To find out users who haven’t logged in into their accounts from past few weeks, you can run the following dsquery command.

dsquery user –inactive <Numweeks>

Say for example, you want to find out users who have not logged in their accounts from past 9 weeks, and then you can use the command as dsquery user –inactive 9

b)To identify the computers who have been idle from past few weeks, you can run the following dsquery command.

dsquery computer –inactive <Numweeks>

Say for example, you want to find out computers who have not been used and have remained idle from past 9 weeks, and then you can use the command as dsquery computer –inactive 9

Ways to regularly clean up inactive users & computers in your Active Directory

Once inactive accounts are located in your AD, system administrators can disable them to completely mitigate the security risks associated with unused computer accounts.

Thankfully, Windows Server 2003 comes packaged with a command line tool – dsquery and also a Graphical User Interface in the Active Directory users and computers that can be used to locate all the disabled users as well as the idle computers in a domain. Once such accounts are found, one can easily delete these users either manually or by making use of custom scripts.

For unused accounts that haven’t been disabled in the Active Directory, the AD users and computers contains a Saved Queries Interface wherein you can look for accounts that haven’t been active for a fixed number of days – a number that may already be defined in your IT security policy and then either notify the errant users to see if they’re still active or simply delete them.


Identifying and managing inactive accounts in AD is an extremely cumbersome task especially if you’re going to clean up your active directory manually. However, if you seek help from automated software solutions that ensure effective Active Directory Clean Up via scheduling required tasks for regular cleaning of your Active Directory, you can save a lot of resources, time & effort while also protecting yourself from potential security threats.

Author Bio :
Sam Vit is associated with Shoviv exchange server recovery manager which helps to recover mailbox items from backup and restore them into live server or healthy PST files.
Beside this, it also helps to perform migration tasks from Exchange to exchange and Office 365.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.