Recently I posted a couple of screenshots of the new version of AD Tidy that I’m currently working on, and in this post I’m going to explain more about the new features and capabilities of this new version.
First of all I should explain that some of these features are still relatively early in the development process so are subject to change (if I hit some technical issue that prevents a certain feature working the way I want it to etc) but in reality I’m confident that all of the features mentioned in this post will end up in the final version.
EDIT: Version 2.0 has now been released, more info here: https://blog.cjwdev.co.uk/2013/03/29/ad-tidy-2-0-released
Just for anyone that has never used the first version of AD Tidy – it is a free tool for identifying and cleaning up unused user and computer accounts in Active Directory. It provides an accurate “last logon” date for each account and lets you select the accounts that have not logged on for X number of days and perform bulk operations on them such as disabling them, moving them to other OUs, removing them from all groups, etc etc. So that’s what the first version did, and obviously version 2.0 still has the same core functionality and purpose but has been completely re-written from the ground up to provide several enhancements and new features, a completely new user interface, a server based service that allows for automated rules to be created, and much more. I’ve broken down the features and improvements into a few different areas below.
As you can see from the early screenshots of the new version, compared to the old UI this is a much more modern looking application. With a ribbon menu, pie charts showing various statistics about your report results, smooth animations, and more, the new UI is much nicer to use and makes better use of the space available on screen.
“Manual report” is the term used in version 2.0 for what you could do in the first version of AD Tidy, i.e. manually configure settings and then run a report that finds accounts that matched your criteria, then optionally select accounts from those results and perform various actions on them. The reason for the new term for the standard reports is because version 2.0 introduces automated rules, which are explained below. The setup of a manual report is similar to the first version of AD Tidy: you can select a domain, select an OU, choose additional settings to narrow down your results, and then run the report. However now you can use much more advanced filters (explained below) and can select additional options such as whether you want the tool to use the “lastLogon” attribute to determine each account’s last logon date (which is the most accurate but requires connecting to every DC in your domain as it is not replicated) or if you want to use the “lastLogonTimeStamp” attribute (which is less accurate but much faster as it only requires querying a single DC).
Going on the last logon date alone for computers can be risky though, as there are some scenarios where computers might not update their lastLogon or lastLogonTimeStamp attribute. Although AD Tidy does also check the last time the computer successfully communicated with AD to change its secure communications channel password, you also have the option to ping each computer account name to see if it is active on the network at the time you run the report and now in version 2.0 you can also query DNS (as long as you are using AD integrated DNS zones). The DNS check means that AD Tidy will check to see if a record exists in your DNS zone for each computer and if it does then it will report on the last time the DNS record was updated (aka the DNS record timestamp). Assuming you have DHCP set to update DNS records for client PCs then this can be a handy indication of whether or not a computer is still active when combined with the last logon date and ping results.
Of course once you have configured all of your manual report settings you can export them to be loaded back in at a later date to save having to set them up again if you often perform the same report. As well as being able to export the settings, you will also be able to export the results of a manual report to additional formats such as native Excel file.
Actions & Action Sequences
Compared to other similar tools, the first version of AD Tidy provided a lot more actions that you could perform on any accounts found by your report. You could disable accounts, delete them, move them, update their description using variables such as their last logon date, remove them from groups, add them to groups, delete their home drive, set their expiry date, or export them to CSV file. The new version adds even more actions to this list, with new actions such as the ability to set a random password, remove/clear any attribute, and the option to launch an external script and pass in variables such as account name, username, SID, etc. This essentially enables you to build your own custom actions to cater for anything out of the ordinary that is not already built in to AD Tidy. As well as the ability to clear any attribute’s value I’m also hoping to include the ability to set any attribute value (as long as it is plain text) but depending on time constraints this might end up coming in a future update.
The “perform multiple actions” option from the first version has now been improved and renamed to “Action Sequences”. You will now be able to create, edit, and save action sequences so that you can re-use them. So if for example you often need to disable accounts and move them to a specific OU and remove them from all groups, you could create an action sequence for this and then in future you can perform all of those actions on any selected accounts in just a couple of clicks (as any action sequences you’ve created will be accessible directly from a drop down menu on the Actions ribbon tab).
When performing any type of action (other than delete) you will also have the option to generate a reversal file, which you can use at a later date to reverse the action you performed in the event of a mistake or an important account being disabled etc. I haven’t started working on this feature yet but I’m hoping to make it so that you can pick individual accounts and individual actions to reverse actions on rather than having to reverse the entire operation on all accounts that were affected.
In the first version of AD Tidy, you could configure your reports to only include accounts that had not logged on for X number of days and could choose to exclude disabled accounts or accounts with a specific name, but that was pretty much it. In version 2.0 you will be able to use much more powerful filters to include/exclude accounts based on various properties such as their name, description, OU, group membership, expiry date, last logon date, DNS record timestamp date, and much more. Multiple filter conditions can be combined with an AND or an OR operator and you can use nested condition groups to create advanced filters. You will be able to save filters so that you can quickly apply them again in the future without needing to configure them again, and these saved filters can also be used in automated rules.
Even with a helpful tool like AD Tidy that does a lot of the work for you, finding and cleaning up old accounts can be pretty tedious and requires someone regularly runs the tool manually. So the Standard Edition of this new version of AD Tidy will include a server based service that automatically periodically checks for accounts that match rules you have configured, and performs specified actions on any accounts that were found by the rule. Allowing you to use advanced filters to narrow down your results to only find exactly the accounts you want to perform actions on was important because in an automated rule you can’t pick and choose which accounts from the results you want to perform actions on like you can when running a manual report.
So for an example automated rule you could setup a filter to find computer accounts that had not logged on for the last 90 days and did not have a DNS record timestamp within the last 90 days as well (and of course you could limit this to a particular OU or only accounts that were members of a certain group or exclude specific account names etc). Then you could specify any accounts that matched those criteria should be automatically disabled, moved to a new OU, and have their description updated to explain why they were disabled. Once the AD Tidy server service has finished performing these actions on each account then it can optionally send an email to you with a list of accounts that were modified and any errors encountered. By default the server will process rules once every 24 hours but this can be changed to a longer interval if that is preferred.
Let me know what you think of the new features or if you have any suggestions, and hopefully I’ll have a BETA version available around the end of February (UPDATE: as always, things take slightly longer than expected – so the BETA is now looking like early/mid March). I’ll post another blog entry as soon as that is ready and will also be providing pricing details and an official release date around the same time.