Cq
Claritiq
·
Cleanup Hub
Critical
Caution
Healthy · target
Scope: eni.enigron.com · c1.eni.enigron.com
AD Cleanup Score
67 / 100
↑ 19 vs Q1 2026 (48)
Enabled : Disabled
1 : 1.75
966 enabled · 1,694 disabled
Remediated last 30d
247
stale + admin + groups
Cleanup velocity
↑ 87 / wk
trending up vs prior 4w
Open candidates
412
across 19 categories
Q2 target progress
78%
of 530-finding goal
Cleanup categories — current state × velocity
| Category | Current | Last snap | Δ | Status |
|---|---|---|---|---|
| Stale enabled (90+ days) | 247 | 302 | −55 | Active |
| Stale enabled (180+ days) | 143 | 168 | −25 | Active |
| Permanent never-onboarded (60d+) | 38 | 47 | −9 | Active |
| Disabled in admin groups | 8 | 12 | −4 | Active |
| PASSWD_NOTREQD set | 4 | 4 | 0 | Stalled |
| AdminCount=1 residue | 8 | 11 | −3 | Active |
| Service account stale | 18 | 22 | −4 | Active |
| Disabled with proxyAddresses (candidate) | 64 | 78 | −14 | Candidate |
| Workaround-provisioned (candidate) | 89 | 89 | 0 | Candidate |
| Empty groups | 94 | 102 | −8 | Active |
| Stale computers (180+) | 35 | 43 | −8 | Active |
| End-of-life OS | 40 | 41 | −1 | Stalled |
"Candidate" rows surface AD-only signals that need Phase 2 EXO confirmation (F.14) for canonical detection. New joiners (Created < 60d) are filtered out of Permanent-never-onboarded so they don't appear as false positives in stakeholder reports.
What's next — top remediation queue
| Action | Count | Severity | Estimated impact |
|---|---|---|---|
| Disable stale 365+ accounts | 87 | Critical | risk reduction · TFE attack surface |
| Remove disabled from admin groups | 8 | Critical | Tier-0 cleanup · audit evidence |
| Investigate PASSWD_NOTREQD | 4 | Critical | blank-password risk |
| Disable stale 180+ accounts | 143 | Caution | lifecycle hygiene |
| Confirm workaround-provisioned mailboxes (Phase 2) | 89 | Caution | needs F.14 / EXO data |
| Cleanup empty groups (no-owner first) | 94 | Caution | sprawl reduction |
| Remediate AdminCount residue | 8 | Caution | SDProp leftovers |
| Investigate disabled-with-proxyAddresses | 64 | Caution | Phase 2 EXO confirms |
Ordered by severity then estimated impact. Click any row to drill into the source page (Account Health / U - Hybrid Identity / G - Privileged Groups / etc.).