A Clean Active Directory Saves Money and Improves Security

Written by Joe Kozlowicz on Tuesday, November 29th 2016 — Categories: Cloud Hosting, Microsoft

AD cleanupYou know what they say: a clean Active Directory keeps the attackers at bay. Or they should say it, anyway. Active Directory is a piece of Windows Server in charge of authentication and authorization for any “object” connected to the network. That includes users, systems, resources, and services.

As you might imagine, enterprises often manage sprawling Active Directories with thousands or even hundreds of thousands of objects, from laptops to printers. When a user leaves the company, their login may still reside in Active Directory. Groups used to organize different pieces of the directory may now lie empty.

Cleaning up your Active Directory not only improves database and server performance, but can plug holes in your security left from old accounts. A regularly scheduled Active Directory cleanup should be included with maintenance activities and performed at least annually.

Assuming your Active Directory server is hosted in the cloud, decluttering can also save you storage costs, while improving performance also lowers your monthly bills as bandwidth charges and compute resources can both drop.

 

Getting Started with an Active Directory Cleanup

The admin performing the cleanup has to be located on the same domain with Remote Server Administration Tools installed.

The first step should be to obtain a list of employees who have left the organization from human resources. It is a best practice to remove employees as part of their offboarding, but if anyone slipped through the cracks, now is the time to disable and delete their AD entry. It’s wise to disable the account for a set period before deleting, in case there is a ripple effect from deletion or the user happens to return to their organization. Some accounts may be reassigned and renamed for a replacement user as well.

One easy way to find all accounts that are expired, disabled, or unused for 180 days is to use the Search-ADAccount cmdlet, which is part of the PowerShell Active Directory module.

Search-ADAccount -AccountInactive -TimeSpan 180 -UsersOnly

Search-ADAccount -AccountDisabled –UsersOnly

Search-ADAccount -AccountExpired –UsersOnly

Similar commands can also be used to find unlinked Group Policy Objects or empty groups. Once you find them, you can export them to a CSV to make them easier to parse.

To remove the users, use the Remove-AdUser cmdlet.

$unusedAccounts | Remove-AdUser -WhatIf
 

Group Policy Objects are another prime category for cleanup. As your AD sprawls, Group Policy Objects can cause issues due to conflicting hierarchy or by sitting unlinked to other units. These GPOs are taking up valuable AD storage space and degrading performance – get rid of them with the GPOReport cmdlet.

$gpoReport = [xml](Get-GPOReport -All -ReportType XML)

@($gpoReport.GPOs.GPO).where({ -not $_.LinksTo }) | Remove-Gpo -WhatIf
 

To remove empty groups, which are also just AD clutter, you’ll use the Get-AdGroup cmdlet.

@(Get-ADGroup -Filter * -Properties isCriticalSystemObject,Members).where({ (-not $_.isCriticalSystemObject) -and ($_.Members.Count -eq 0) })

@(Get-ADGroup -Filter * -Properties isCriticalSystemObject,Members).where({ (-not $_.isCriticalSystemObject) -and ($_.Members.Count -eq 0) }) | Remove-AdGroup -WhatIf

 

Metadata Cleanup & Defragmentation

When removing a domain controller from AD, you must use dcpromo.exe. This process occasionally leaves remaining metadata – specifically the NTDS Settings object. In addition to Active Directory Sites and Services and Active Directory Users and Computers, you’ll need ntdsutil.exe to remove this object. Launch the .exe and type metadatacleanup, then select operation target, then list domains. Type the domain number that contained the failed server. Now enter list sites, and from this list, select the site number where the failed domain controller was a member. Finally, type list servers, and select the server number that is the failed domain controller. Type quit, then type remove selected server, and agree to delete when you see a deletion warning.

Ntdsutil is also used for general database integrity and defragmentation. In Windows 2008 and later you can stop AD for this maintenance, which should be performed at least annually. Defragmentation reorganizes the database disk to free up space and fix any corrupted segments. Online defrag happens by default every twelve hours, but to actually reclaim total database size, you’ll need to take the AD service offline. This is mostly required only after moving many objects or migrating to a new server.

To defrag offline, create a copy using NTBackup, then use F8 during boot to access Directory Services Restore Mode. Copy the ntds.dit file just in case. Type ntdsutil files and write down the location of the current nds.dit file. Next enter compact to c:\compact, then quit. Replace the current ntds.dit file with the newly compacted ntds.dit file created in c:\compact. The system will prompt you to delete the old log files; do so and then reboot the server.

 

Learn and love DCdiag

We won’t dive into every DCdiag command as there are quite a few to learn, but you’ll want to get familiar with the dcdiag command line tool in order to regularly check your AD health. It is available with Active Directory Domain Services installed or with AD Domain Services Tools as part of Remote Server Administration Tools.

DCdiag helps locate errors within domain controllers and other configuration problems. The report can be overwhelming, so read up a bit on how to use it and the available commands.

 

Third party monitoring and cleanup tools for AD are abundant and useful, especially in large scale environments in which it can be hard to find a single domain controller or database that might be causing issues. Using a third party tool can help automate some of the cleanup process and get you on a regular AD maintenance schedule, but included Microsoft utilities like those above are a great way to get started maintaining your AD performance.

Chat Now