Directory Cleansing: The Cybersecurity Task You Can’t Afford to Ignore

Date

When was the last time you checked who has access to your systems? If you can’t remember, you’re not alone. For many SMEs, user directories are a “set and forget” part of IT — until something goes wrong.

From my experience helping businesses recover from cyberattacks, one theme keeps coming up: unused user accounts are often the open door attackers walk through. These accounts are enabled, forgotten, and vulnerable. Let me explain why this matters and what you can do about it.

Stale accounts come in many forms:

1. Ex-employees whose accounts were never fully disabled.

2. Test accounts left behind by vendors—often with weak or predictable passwords.

And here’s the real issue… even if you’ve strengthened your password policy (say, moving from a minimum of 6 to 14 characters), those old unused accounts don’t magically comply. Unless every user is forced to change their password immediately, those stale accounts remain weak links. And attackers know it.

Why SMEs Are Especially at Risk

Most SMEs don’t use Single Sign-On (SSO). That means multiple directories to manage:

  • Active Directory on-premises
  • Microsoft 365
  • Accounting software
  • Line-of-business SaaS apps

Multiply that by every employee who’s ever left, and you’ve got a significant exposure problem. To make matters worse, many SME’s leavers’ checklists don’t even include directory access.

The Solution: A Two-Step Approach

  • Do a One-Off Cleanse – The first time is the hardest, but it’s essential. Audit every directory, disable what’s not needed, and document everything.
  • Make It Routine – Schedule a cleanse at least twice a year. And update your leavers’ policy/checklist so every leaver triggers an access review.

“But I’m Not an Admin…” – Good news – you don’t need to be.

In Microsoft 365, ask your IT Support to create a separate account with the ‘User Administrator‘ role. This gives you just enough access to manage users without full admin rights.

In Active Directory, you can be delegated control over specific areas and install and use the freely-available AD tools from your own machine from Microsoft’s website.

This approach follows the principle of least privilege — keeping your daily account safe while still letting you do the job.

Why This Matters

  • Security: Dormant accounts are a cybercriminal’s dream.
  • Compliance: GDPR, ISO 27001, and Cyber Essentials all require access control.
  • Cost: Unused Microsoft 365 licenses and SaaS subscriptions add up fast.

Common Pitfalls

  • Deleting without checking: If in doubt, reset the password, disable the account, and set a calendar reminder for deletion later.
  • Ignoring service accounts: These are just as critical—check with your IT support.
  • No audit trail: Always log what you’ve done and when.

Ready to Take Action?

Don’t bury your head in the sand. Directory cleansing isn’t glamorous, but it’s one of the simplest, most effective ways to reduce risk and save money.

To help you get started, we’re offering 30 minutes of one-to-one time—completely FOC, no agenda, no catches—valid until 31st December 2025. Use it to ask questions, get advice, or just to check your approach.

Book your session today and take the first step toward a cleaner, safer directory – hello@the-vitd.co.uk.

More articles