Inactive accounts in the Active Directory should strike fear in the hearts of IT admins. They may appear harmless as they lay dormant, unused, and inactive, but they are an open invitation for anyone looking to compromise an organization’s security.
Why Inactive Accounts are Threat to AD Security
Inactive accounts may appear docile but they can cause fatal damages to an organization, especially when they are not disabled or when they remain without password expiry limits. Outside intruders trying to hack into an organization can use these accounts as their activities will go unnoticed. Also, employees who quit the organization can misuse their login credentials to access network resources. The damage that can be done to the network depends on how skilled the intruders are, how long they are able to stay there, and how many privileges these compromised accounts have. And the attackers can have a free run if the organization does not have an effective auditing mechanism.
The Making of Inactive Accounts
Inactive accounts reveal a lot about the communication or lack of it between HR and IT departments. When new employees join the organization, the IT department provides them with new user accounts. But when they leave the organization, those accounts are not taken care of. It can happen when an employee is assigned a new role, or when an employee goes on long leave. The same can happen with computer accounts too. Also, for testing purposes and other temporary uses the IT department may create a user and computer accounts that stay open after their use is over. This is how inactive accounts are created in the AD environment.
Why You Need Inactive Account Management Policy
Organizations are usually not short of tools that can manage inactive accounts in their Active Directory. What they often lack though is a well-documented policy regarding this area. Most of the time, the IT department lacks information regarding the resignation and departure of employees. Also, no clear-cut instructions are given to them regarding the disabling or deletion of accounts. So the first thing to do is to document a policy in consultation with the HR department and the top management. The policy should encompass the following situations:
- when an employee leaves the company
- when there is a chance of an employee returning
- when an employee is on long leave
Decisions on following matters are also required:
- whether the accounts will be deleted directly, or after disabling them for sometime
- the waiting time before deleting the account permanently
- monitoring and auditing of inactive accounts
- use of professional Active Directory cleanup solutions like Lepide Active Directory Cleaner
How to Manage Inactive Active Directory Accounts
Removal of inactive accounts is essential for the security of the Active Directory. However, it is better to keep such accounts disabled for some time before deleting them. When employees leave the organization or when they take a long to leave, it is recommended to disable their user accounts. All the disabled accounts can be moved to a single OU and linked to it a GPO that curtails all accesses and privileges. Make sure that the accounts are removed from all group memberships. After a certain period, user accounts of employees who have left the organization can be deleted forever. It is a good practice to keep the HR department informed and up-to-speed with deletion activities. Another important suggestion is to enable the Active Directory Recycle Bin so that the accounts (along with all their attributes) can be restored (till they are cleared from the recycle bin). Check out some best practices for managing inactive AD accounts.
How Lepide Helps
Active Directory features are the best bet for manually disabling and deleting unused accounts but they are effective only when the AD environment is small. If the requirements are complex, one can rely on PowerShell script or automated Active Directory cleanup solutions like Lepide Active Directory Cleaner. Lepide Active Directory Cleaner helps to make the AD environment clean and lean by resetting the password, deleting, disabling and moving inactive user and computer accounts to another OU. It also helps to generate reports on inactive accounts in the network and schedule the cleanup actions. The advantage is that it saves the resources, time, and effort required to manage inactive accounts.