Welcome back to ATA’s Learn with Me series on the Specops’ line of Active Directory products! If you missed the previous posts, be sure to catch up here.
Active Directory (AD) is one of those services that seemingly every organization has but has somehow forgotten to maintain. The larger the organization, the bigger the mess. It’s time to perform an Active Directory cleanup.
As an organization goes about onboarding new users, adding more machines to a domain, creating service accounts, and removing accounts with no strategy, some accounts ultimately go unused. These accounts then go “stale.”
Stale accounts can lead to:
- An unnecessarily large footprint to secure
- Increased chances of human error (picking the wrong account or computer)
- Increasing time to find “current” accounts
- Wasted time creating PowerShell scripts to maintain all of those outdated accounts.
Coming from firsthand experience, I’ve created dozens of PowerShell scripts to monitor and clean up unused computer and user accounts. I know well the problems with keeping thousands of stale accounts in AD.
Rather than create your own PowerShell scripts to clean up stale accounts, you can download and install Specops’ Active Directory Janitor software to do it for you. In this second installment of Specops’ Learn with Me series, you’re going to learn how you can keep your AD environment clean with their Active Directory (AD) Janitor product!
This article will focus on using the free community edition for AD Janitor.
Active Directory Janitor: First Impressions
Once you’ve contacted Specops, obtained the download link and license for AD Janitor, the installation is straightforward. Click, next, next, next, and you’re done!
When you attempt to download AD Monitor, you’ll find that, unfortunately, there’s no direct download link. You must first contact Specops to a license.
Let’s say that you’ve got AD Janitor installed on your Windows Server and you’re ready to start an Active Directory cleanup. Now what? It’s time to see what AD Janitor can do!
When opening AD Janitor, you’ll see a simplistic interface to start scanning AD for stale computer and user accounts.
First impressions? AD Janitor looks like a simple tool that does one thing, which is actually a little refreshing. I don’t see any complicated menus or a tool that tries to do more than what it’s supposed to. So far, I’m still interested. Let’s see how it actually works, though!
Active Directory Cleanup: Computer and User Accounts
To help you clean up both AD computer and user accounts, AD Janitor follows the same general workflow for both:
- Select the accounts to scan.
- Scan the accounts for various configurable Active Directory user and computer attributes.
- Display a tabular view of all accounts.
- Provide a method to selectively enable, disable, delete or move the scanned accounts.
Let’s step through the workflow now and see how it works.
Selecting Target Accounts
You can click on either Scan computers or Scan users from the Welcome screen, which brings you to the account selection screen. Here is where you must tell AD Janitor which accounts to scan. AD Janitor provides a few different ways to pick accounts, as shown below.
For this demo, I’m going to select Pick accounts for Active Directory so I can browse for them, select the entire domain and click Add to add them to the Selected Accounts list.
Selecting Target Properties
Since “stale” can mean different things to different people while performing an Active Directory cleanup, AD Janitor supports various checks to perform on each computer to give you a clear picture of if a computer account is active or not.
By clicking on Select properties, I then have a window to define what properties are collected for each account.
The ability to add non-AD attributes like Ping is a great addition for scanning computer accounts. Providing checks outside of AD is a great way to provide better insight into stale computer accounts.
Notice below that AD Janitor pulls a lot of useful Active Directory user attributes (and computer attributes). Some of these are a pain to get with a PowerShell script!
I’ll leave the default and click on Start scanning to see what happens.
By default, AD Janitor performs 50 scans at a time. If you have hundreds of thousands of AD accounts, you can increase the max simultaneous scans up to 500 but just make sure your machine can handle that many at once!
When the scan completes, AD Janitor provides you with a scan summary indicating the number of domain controllers (DCs) used in the scan and the number of accounts scanned.
AD Janitor, by default, contacts all DC and uses the most recent value for all attributes. No more messing around with the
lastLogon
andlastLogonTimestamp
attributes!
I’m then dropped into a table view, where I’m provided with many stats associated with each account. Having all of this information in one spot is awesome and makes it easy to sift through this information.
If there are one or more accounts that I’m defining as “stale,” I can select them, click on Actions and disable, enable, delete or move them to another OU. Below you’ll see a screenshot for computer accounts, but AD Janitor treats user accounts similarly.
I like the Security risk column shown below in the scan results for Active Directory user attributes. You’ll see that accounts like the domain administrator account have high privileges in the domain, so AD Janitor defined that account as a higher risk.
To sift through many accounts, you can click on Export selected to export to a CSV or sort each column by clicking on the header. But, it’d be nice to have some filtering ability on this screen to narrow down computer accounts matching specific criteria when performing an Active Directory cleanup.
Logging
If you have many AD accounts in your environment, AD Janitor’s probably going to be performing a lot of tasks. Chances are, the tool will do its job and clean up AD as you see fit, but there’s always going to be those times when you need to dig into the logs when performing an Active Directory cleanup.
If you navigate to the Settings screen, you’ll see an option to Turn on logging. Once you’ve enabled logging, AD Janitor will log all activity to a text file saved in C:\Users\<username>\AppData\local\Specopssoft\ActiveDirectoryJanitor.log.
Once enabled, the log file will start to fill up as expected. You’ll see below what a log file might look like. It looks like AD Janitor is using a logging schema I’m not familiar with. If no native parser exists for this logging format, you’ll probably have to create a PowerShell script to parse the log to extract useful information.
In any case, I’m glad the log file is there! After reviewing the log on my lab machine, I couldn’t find any information I wish I would have had. It looks like it’s capturing all of the relevant, necessary transaction data.
Conclusion
After installing and using AD Janitor in my lab environment and putting it through its paces, I found this tool to do exactly as it should when performing an Active Directory cleanup. AD Janitor is a small utility that serves a useful purpose. Its primary strength is collecting data about AD accounts to make the final decision to do something with the stale accounts. It makes a great Active Directory cleanup tool.
I’ve been writing PowerShell scripts to manage unused AD accounts for a long time that I wouldn’t have had to if I would have known AD Janitor back then. This tool seems to bring together all of the data and logic in AD to provide you with better insights into all of those unused computer and user accounts.
Now that you’ve hopefully cleaned up your AD environment with AD Janitor stay tuned for the next installment in this Learn with Me series! We’ll audit AD with Specops’s Password Auditor to ensure those remaining accounts have secure passwords!