Identify Unused Active Directory User Accounts With AD Tidy
Active Directory (AD) over a period of time can end up having many unused user and computer accounts. This creates unnecessary clutter in the existing OUs (Organizational Unit) and AD itself. These vacant accounts can also become a security loop hole if they are not kept disabled, as a redundant account (such as an old employee’s account) can be activated to extract company data. Even disabled user accounts on Active Directory can create problems in sorting and management of OUs.
AD Tidy is a handy application for identifying redundant user accounts. You can search Active Directory domain users to find unwanted accounts and perform required tasks, such as, disable, remove, and move user accounts.
To identify unwanted accounts, click Edit Search Settings and choose a criteria. You can search user/computer accounts, exclude/include disabled accounts, search for accounts by login date, include accounts that have never logged in, restrict search to a specified container,etc.
Once you have configured settings, click Search. AD accounts will appear with relevant information in the search result which will help you identify unwanted accounts. The screenshot below displays a search result for disabled accounts. All disabled accounts are marked with as “Yes” in the Disabled accounts field.
Once an account has been identified, you can use the drop-down menu to select an action and then click Perform Action or Perform Multiple Actions option to execute a relevant task(s). These tasks include deleting, moving, the user, setting description for the user, setting an account expiration date and deleting its home drive.
It works on Windows XP, Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008.