AD Titdy can be used to identify when user/computer accounts last logged on to the network and can tidy up these accounts in various different ways.

Submitted by Chris Wright - Website: Cjwdev

The first version of AD Tidy was released a couple of years ago, and was a small simple GUI tool designed to help you locate and clean up inactive user and computer accounts in your AD domain. Now it has been completely re-written from scratch to provide a more modern GUI and a large amount of new features. To give some idea of the scale of the changes – the old version was roughly 3000 lines of source code and this new version is over 13000.

AD Tidy

AD Tidy

Like most Cjwdev tools, the new version comes in two editions: a free edition and a standard edition. The main difference between the two versions of AD Tidy is that the standard edition includes a server side service that lets you automate the process of locating and cleaning up inactive accounts (along with a command line version for you to use in your own scripts or scheduled tasks), but the free edition can still be very useful and save a huge amount of time as it still includes powerful filtering capabilities and a large number of actions that can be performed on any accounts that matched your filter. You can filter based on account name, description, group membership, expiration date, last logon time, DNS record timestamp, LDAP attribute, and more.

You could just use this as a reporting tool to show you an accurate last logon time for various accounts, as it can calculate last logon time either by using the lastLogonTimeStamp attribute (which is fast as it only requires contacting a single DC, but is only replicated every 14 days) or by using the lastLogon attribute (which is not replicated, so AD Tidy will contact every DC and show you the most recent value).

However, once you have found accounts that match your specified criteria you can also then use AD Tidy to clean up those accounts by performing any of the following actions: Disable, Move, Delete, Delete Home Drive, Add To Group, Remove From Group, Remove From All Groups, Run External Script, Set Expiry Date, Clear LDAP Attribute Value, Set Random Password, Hide From Exchange Address List, Set Description, and more.

Ad Tidy - Actions

Ad Tidy - Actions

You can also combine these actions into an Action Sequence, to make it easier to perform multiple actions at the same time whenever you want. So if your standard procedure for old accounts is to disable them, reset their password, and move them to a specific OU – you can easily build an Action Sequence to do that and then performing it is as simple as selecting the accounts in AD Tidy and right clicking on them and selecting your action sequence.

There are many more features that have been introduced in this new version and hopefully the free edition will continue to help a lot of people out.

AD Tidy

  1. Brandon 10 years ago

    Thank you so much for this (and the prior version) – ABSOLUTELY FANTASTIC TOOL!

  2. Chris Wright 10 years ago

    Thanks Brandon, really glad to hear that 🙂

  3. Rory Schmitz 10 years ago


    Downloading now. Do you know if this takes into account users who, for example, only login to Exchange OWA, or an external facing SharePoint site? We have some users that aren’t house locally and never login to a PC on our domain, but rather their laptop with cached credentials. I guess I’m not certain if LastLogon and LastLogonTimeStamp accounts for those authentication requests?

  4. Chris Wright 10 years ago

    Hi Rory,

    The LastLogon and LastLogonTimeStamp attributes get updated with different types of logons, but I would imagine at least one of them would get updated during a logon via OWA because OWA still has to authenticate that user against a DC so it is probably classed as a network logon or service logon. From the AD team regarding LastLogonTimeStamp:

    “Interactive, Network, and Service logons will update the lastLogontimeStamp. So if a user logs on interactively, browses a network share, access the email server, runs an LDAP query etc… the lastLogontimeStamp attribute will updated”

    So if you change the “Last Logon Settings” in AD Tidy to use just the LastLogonTimeStamp then I’m pretty sure you would be covered for OWA logons but obviously you should test it to be certain. Of course leaving AD Tidy on the default of using both the LastLogon and LastLogonTimeStamp (and PwdLastSet for computers) will have even more chance of catching every type of logon but will be slower because it has to query every DC for the LastLogon value to get an accurate value for each account.

  5. Rory Schmitz 10 years ago

    Hi Chris,

    Thank you for that. I can verify that the OWA logins do reflect a change in AD Tidy on the Last Logon Date column. It’s clearly updating the LastLogonTimeStamp attribute. Our external SharePoint 2010 site, however, did not? I was more concerned with OWA, though, so thank you very much for the quick reply.

  6. eratyle 10 years ago

    most usefull tool, so much time has been saved with it!

  7. Chris Wright 10 years ago

    Thanks, pleased to hear that 🙂

  8. Kelly Frank 9 years ago

    Love the tools. I have just one question maybe someone can help me with . Is there a way with these tools to find out the user who last logged onto a specific computer?

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account