Do inactive accounts harm the Active Directory network security?

Satyendra by Updated On - 06.18.2020   Data Security


Inactive accounts in the Active Directory should strike fear in the hearts of IT admins. They may appear harmless as they lay dormant, unused and inactive, but they are an open invitation for anyone looking to compromise an organization’s security.

Why do inactive accounts matter—aren’t they harmless?

Inactive accounts may appear docile but they can cause fatal damages to an organization, especially when they are not disabled or when they remain without password expiry limits. Outside intruders trying to hack into an organization can use these accounts as their activities will go unnoticed. Also, employees who quit the organization can misuse their login credentials to access network resources. The damage that can be done to the network depends on how skilled the intruders are, how long they are able to stay there,  and how many privileges these compromised accounts have. And the attackers can have a free run if the organization does not have an effective auditing mechanism.

The making of inactive accounts

Inactive accounts reveal a lot about the communication or lack of it between HR and IT departments. When new employees join the organization, the IT department provides them new user accounts. But when they leave the organization, those accounts are not taken care of. It can happen when an employee is assigned a new role, or when an employee goes on long leave. The same can happen with the computer accounts too. Also, for testing purposes and other temporary uses the IT department may create a user and computer accounts that stay open after their use is over. This is how inactive accounts are created in the AD environment.

Why policy is important?

Organizations are usually not short of tools that can manage the inactive accounts in their Active Directory. What they often lack though is a well-documented policy regarding this area. Most of the time, IT department lacks information regarding the resignation and departure of employees. Also, no clear-cut instructions are given to them regarding the disabling or deletion of accounts. So the first thing to do is to document a policy in consultation with the HR department and the top management. The policy should encompass the following situations:

  • when an employee leaves the company
  • when there is a chance of an employee returning
  • when an employee is on long leave

Decisions on following matters are also required:

  • whether the accounts will be deleted directly, or after disabling them for sometime
  • the waiting time before deleting the account permanently
  • monitoring and auditing of inactive accounts
  • use of professional Active Directory cleanup solutions like Lepide Active Directory Cleaner

Dealing with inactive accounts –Some recommendations

Removal of inactive accounts is essential for the security of the Active Directory. However, it is better to keep such accounts disabled for some time before deleting them. When employees leave the organization or when they take long leave, it is recommended to disable their user accounts. All the disabled accounts can be moved to a single OU, and link to it a GPO that curtails all accesses and privileges. Make sure that the accounts are removed from all group memberships. After a certain period, user accounts of employees who have left the organization can be deleted forever. It is a good practice to keep the HR department informed and up-to-speed with deletion activities. Another important suggestion is to enable the Active Directory Recycle Bin so that the accounts (along with all their attributes) can be restored (till they are cleared from the recycle bin).

What are the solutions available for managing the inactive accounts?

Active Directory features are the best bet for manually disabling and deleting unused accounts but they are effective only when the AD environment is small. If the requirements are complex, one can rely on script (PowerShell or other) based solutions or automated Active Directory cleaning solutions like Lepide Active Directory Cleaner. Lepide Active Directory Cleaner helps to make the AD environment clean and lean by resetting password, deleting, disabling and moving inactive user and computer accounts to another OU. It also helps to generate reports on inactive accounts in the network and schedule the cleanup actions. The advantage is that it saves the resources, time, and effort required to manage inactive accounts.