The system administrator managing the Active Directory knows very well that he/she will not be able to keep the AD environment clean of obsolete user and computer accounts. It is a tedious task to maintain especially the computer accounts. In these cases, Active Director Janitor would be useful.
The demo version provides limited information. For viewing all features, one needs to get the registered version. This version has the ability to scan the AD user accounts. Considering the previous versions, there is a considerable improvement, as in the previous versions we could only scan the computer accounts.
The program offers two options for scanning: Computers and Users
For scanning computers:
In settings there is an option called “Number of concurrent scanning threads” which indicates how many threads can be simultaneously taken during the scan. The more numbers of Domain Controllers the more threads would be required to achieve optimal performance.
To find machines which have faulty network connections, one can choose "Connect to computers that appear offline".
The scanning information can be logged if required. By logging the scanned information, the system may become very slow or stop responding for a while.
This tool can be used for finding out the service pack details for all the computers.
For scanning Users:
Users are also chosen the same way as we choose computers. However, in the scan properties there are different options provided. These are in account status, password expiration / renewal, how many logons, description, the profile path to the e-mail, the DC against which the account has authenticated, the number of wrong passwords and when was the last wrong password attempt, and the last logon information.
If you are managing the AD across geographical locations, you can provide permission to administrators for their specific OUs to do the scan. The result can be exported to a csv or text file for reference.
Initially, doing an entire domain scan would make sense, because the objects (Computers or Users) may be located in many organizational units or perhaps even in totally incorrect OUs not intended for them.
In Active directory, the administrator cannot see when the password expires, but the user gets a popup message that the password will expire in a given number of days based on their domain password policy.
Using this tool, we can find obsolete user and computer accounts. We can also find the missing DNS entries of servers, if any.
The installation uses SpecopsSoft folder by default. The size of the .exe fileis 384KB. During installation or querying computers or accounts there is not much of memory being utilized on the client. The LSASS keeps varying from 1-3% on the client, but on the DCs, the LSASS varies from 15% to 40%, depending on the number of DCs. So, it is advisable to do this activity during the weekends when there less load on the DCs.
- You can find the missing DNS entries of the computers/servers
- You can find out which accounts have expired or about to expire
- You can find out which users' password is getting expired and proactively inform them by shooting an e-mail
- Real Last Logon is not available
- It just shows the risks on the user accounts, but no further information is available as to how and why they are rated
- You have to select each and every computer or user if you want to export all the details
- An account cannot be retrieved once deleted