Skip to content
Pharmaceutical Manufacturing Active Directory & M365 Hardening

12,000 Stale Accounts, Audited. Service Accounts, Halved.

A mid-market pharmaceutical manufacturer cleaned up a decade of AD and M365 sprawl. Stale accounts removed, service accounts audited, password policies enforced, and PowerShell automation handed off.

10 Weeks · Onshore + Offshore Hybrid

The Situation

What They
Were Up Against.

A pharmaceutical manufacturer subject to FDA 21 CFR Part 11 audits had let their Active Directory and Microsoft 365 environments drift for over a decade. Inactive user accounts were never disabled, service accounts were created freely without documentation, password policies hadn't been refreshed since the original AD build, and the auditors had started flagging it. An internal cleanup attempt three years prior had stalled when nobody had time to write the PowerShell.

Why They Called Us

The Fit.

Two reasons. First, FDA-regulated environments need cleanup work that's documented to audit standards. Not just done. Second, the client needed PowerShell automation handed off so the team could maintain hygiene on their own going forward. Tech Critic combined the senior identity-engineering experience with disciplined documentation.

What We Did

The Work.

  • Audited 12,000+ AD user accounts and identified stale, inactive, and orphaned accounts using last-logon and group-membership heuristics
  • Disabled and then removed inactive accounts following a documented sunset process with retention compliant with regulated-records policy
  • Audited every service account, mapped its purpose, validated whether it was still needed, and reduced the count by 47%
  • Re-keyed remaining service accounts with managed service account practices and rotation schedules
  • Enforced refreshed password policies aligned to NIST 800-63B (length over complexity, no forced rotation without indicator)
  • Built and handed off a PowerShell library for ongoing hygiene: account-creation workflow, monthly stale-account report, service-account inventory, GPO baseline export
  • Trained internal IT on running the scripts and interpreting the outputs

The Outcome

Real
Numbers.

11,800+

stale or orphaned accounts removed

47%

reduction in service-account sprawl

0

open audit findings on identity hygiene

  • Service accounts that remained were re-keyed with managed practices and documented rotation schedules
  • Annual audit finding around 'identity hygiene' closed; auditor flagged the documentation as 'exemplary'
  • Internal IT now runs the monthly hygiene report on their own with a 30-minute time commitment
  • Password policy realigned to NIST 800-63B. Fewer help-desk resets and a stronger security posture

Tech Stack

What We Used.

Active DirectoryMicrosoft Entra ID (Azure AD)PowerShellMicrosoft 365 admin centerGroup PolicyPrivileged Access Management (PAM) tooling
We'd been telling ourselves we'd clean it up for years. Tech Critic actually did it. And gave us the scripts so it never gets that bad again.

Pharmaceutical Manufacturing · Anonymized Client

Got Something
That Looks Like This?

Tap a senior consultant. 30-minute call, no deck, no pitch. We'll tell you whether we're the right fit.

Let's Talk → Read About Active Directory & M365 Hardening →

More Receipts.

All case studies →