Active Directory, MSSP

The Active Directory questions MSSPs should ask before cleanup begins

COMMENTARY: Active Directory cleanup is not just about finding stale accounts or risky permissions. For MSSPs, the bigger issue is figuring out what those accounts, scripts, and exceptions actually do before anyone changes them. A lot of clients are running on old AD decisions that no one fully remembers anymore. That creates real risk during cleanup, recovery, and incident response. MSSPs that ask who owns an account, what a script touches, and what could break will have a much better chance of reducing risk without creating new problems.


When an MSSP takes on a new client, Active Directory findings often look straightforward at first. The complexity shows up later, when a questionable account or old automation turns out to be tied to history the client never documented.

The harder question is whether anyone inside the client organization still understands why those conditions exist.

That question matters more as veteran AD administrators retire or move into different roles. Newer IT teams may be strong in cloud platforms, AI-assisted operations, and modern security tools, but that does not mean they inherited the context behind years of hybrid identity decisions.

For MSSPs, this creates a different kind of client risk. Active Directory may be treated as legacy infrastructure, but in many environments it still shapes daily IT operations. When the people who understand that history leave, providers may be asked to secure an environment that the client no longer fully understands.

Many AD environments are messy because the business had to make them work, no matter the circumstance. Over time, quick fixes became standard practice, migration shortcuts became permanent, and one-off exceptions blended into the environment. The people who remember why those choices were made often become the only real “historical” map.

Unfortunately, that map is getting thinner.

This is where onboarding assessments can create false confidence. What looks like a cleanup opportunity to the provider may feel like a business risk to the client, especially when no one can explain what depends on it.

Identity cleanup often stalls for a reason. When internal teams do not trust their own documentation, a questionable account can feel safer left alone than changed. MSSPs need to understand that hesitation before making recommendations that affect monitoring, access reviews, incident response, or recovery.

Scripts and scheduled tasks are often where this hidden history becomes visible. They may sit quietly in the background for years, handling routine work that no one wants to revisit.

Because they work, people stop looking at them. Because they are old, people stop wanting to change them.

One common pattern is the script everyone depends on, and no one owns. It may have been written by an administrator who left years ago, then copied, renamed, and adjusted just enough to keep working. By the time an MSSP sees it, the script may have broad privileges, weak documentation, and no clear owner inside the client’s team. A configuration scan can show that the automation exists, but the better questions are about what it touches, who understands it, and what would break if it failed or ran in the wrong hands.

Those answers help separate ordinary technical debt from identity workflows that could complicate an incident, outage, or recovery effort.

AI can still be useful here, especially when an MSSP is trying to make sense of an unfamiliar AD environment. An old PowerShell script that once looked untouchable may become easier to read once a tool explains the logic and shows where it connects to the directory.

That can be enough to get the conversation moving.

Once the script is readable, the harder work is figuring out why the client still depends on it, why no one replaced it, or why the internal team gets nervous when someone suggests turning it off. Those answers usually come from the people who have lived with the environment long enough to know where the fragile parts are.

MSSPs should treat AD knowledge loss as part of client risk assessment. The goal is to learn where the client still has confidence, where the documentation is thin, and where a change could create operational pain. That context can shape how the provider approaches cleanup, monitoring, escalation, and recovery planning.

The clients most exposed are often the ones who already know parts of their environment are fragile. They avoid touching certain service accounts or keep old scripts running because no one is confident enough to replace them. Their documentation may explain what exists, but still leave out why it matters.

For MSSPs, closing that gap can strengthen the work they are already doing. Providers that help clients preserve AD knowledge before it disappears can make recovery plans more realistic, reduce hesitation around identity cleanup, and lower the chance that the next retirement, outage, or incident exposes a dependency no one remembers.


Craig Birch

Craig Birch is Principal Technologist at Cayosoft.

You can skip this ad in 5 seconds