AD Tidy is a popular, lightweight Active Directory (AD) administration tool developed by Cjwdev that helps IT administrators identify and clean up stale or inactive user and computer accounts. It serves as a visual, user-friendly alternative to writing complex PowerShell scripts for directory maintenance.
A comprehensive breakdown of how the tool works, its core features, and best practices for an “ultimate guide” approach to Active Directory cleanup includes: Core Features of AD Tidy
Multi-DC Logon Calculation: It queries multiple Domain Controllers (DCs) to find the true lastLogon or lastLogonTimeStamp attributes, preventing you from accidentally deleting an account that logged into a different DC.
Inactive Filtering: You can easily filter for accounts that have not logged into the domain for a specific number of days (e.g., 90+ days).
Computer Account Verification: The tool uses integrated Ping tests and DNS record timestamp checks to see if a computer object is physically active on the network.
Bulk Remediation Actions: Instead of just reporting, AD Tidy can directly disable accounts, move them to a designated “Archive” Organizational Unit (OU), strip them of group memberships, or set random passwords.
Flexible Reporting: Admin reports can be localized to specific OUs or run domain-wide, and results can be exported to CSV or Excel XLSX files for documentation. The Ultimate Active Directory Cleanup Strategy
Using a tool like AD Tidy is most effective when paired with a structured, safe cleanup workflow. Experts recommend a phased “Tidy Up” pipeline to avoid breaking critical services:
[Phase 1: Scan & Identify] ➔ [Phase 2: Disable & Move] ➔ [Phase 3: The Wait Period] ➔ [Phase 4: Permanent Deletion]
Scan and Filter: Use AD Tidy to generate a report of user and computer accounts inactive for more than 90 days.
The “Scream Test” (Disable & Move): Do not delete accounts immediately. Use AD Tidy to disable the targeted accounts and move them to an unlinked “Archive” OU. If a service or user unexpectedly breaks, they will “scream,” and you can easily re-enable the account.
Strip Privileges: For added security during the trial period, use the tool to remove these inactive accounts from all security groups.
Purge: After the accounts have safely sat disabled for an agreed organizational timeframe (typically 30 to 90 days) with no issues, they can be permanently deleted from the domain. Why Systems Administrators Choose It Reddit·r/activedirectory
Leave a Reply