diff --git a/cmd/agent/main.go b/cmd/agent/main.go
index f3314b4240c..8f7bcb9df70 100644
--- a/cmd/agent/main.go
+++ b/cmd/agent/main.go
@@ -81,7 +81,9 @@ func main() {
 			}
 			err = bindingErr
 		} else if os.Getenv("AD_GUID_CLEANUP") == "true" {
-			err = clean.UnmigrateAdGUIDUsers(nil, false, false)
+			dryrun := os.Getenv("DRY_RUN") == "true"
+			deleteMissingUsers := os.Getenv("AD_DELETE_MISSING_GUID_USERS") == "true"
+			err = clean.UnmigrateAdGUIDUsers(nil, dryrun, deleteMissingUsers)
 		} else {
 			err = run(ctx)
 		}
diff --git a/pkg/agent/clean/active_directory.go b/pkg/agent/clean/active_directory.go
index e448838478d..42235a1f7cf 100644
--- a/pkg/agent/clean/active_directory.go
+++ b/pkg/agent/clean/active_directory.go
@@ -299,13 +299,11 @@ func UnmigrateAdGUIDUsersOnce(sc *config.ScaledContext) error {
 // UnmigrateAdGUIDUsers will cycle through all users, ctrb, ptrb, tokens and migrate them to an
 // appropriate DN-based PrincipalID.
 func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool, deleteMissingUsers bool) error {
-	if dryRun || os.Getenv("DRY_RUN") == "true" {
-		logrus.Infof("[%v] DRY_RUN is true, no objects will be deleted/modified", migrateAdUserOperation)
-		dryRun = true
+	if dryRun {
+		logrus.Infof("[%v] dryRun is true, no objects will be deleted/modified", migrateAdUserOperation)
 		deleteMissingUsers = false
-	} else if deleteMissingUsers || os.Getenv("AD_DELETE_MISSING_GUID_USERS") == "true" {
-		logrus.Infof("[%v] AD_DELETE_MISSING_GUID_USERS is true, GUID-based users not present in Active Directory will be deleted", migrateAdUserOperation)
-		deleteMissingUsers = true
+	} else if deleteMissingUsers {
+		logrus.Infof("[%v] deleteMissingUsers is true, GUID-based users not present in Active Directory will be deleted", migrateAdUserOperation)
 	}
 
 	sc, adConfig, err := prepareClientContexts(clientConfig)