In organizations comprising of thousands, or even hundreds of thousands of Active Directory accounts and computer objects, how could you know if a particular account is inactive? Even if you knew that, what would you do once such accounts and objects are identified? User and computer accounts can become obsolete for many reasons; including long leaves or employees quitting an organization. Disabling and removing unused or stale user and computer accounts in your organization, helps to keep Active Directory safe and secure from insider attacks. This article explains the steps to handle inactive accounts by using both native methods and LepideAuditor, a comprehensive auditing solution.

How to Handle Inactive Users and Computers Natively

If inactive accounts pile up in Active Directory, it becomes difficult for administrators to manage them. Therefore, it is important that administrators keep track of these inactive accounts at all times. IT Administrators are supposed to have a well-defined plan that defines when an unused user or computer becomes an inactive one, and what actions are to be taken once that happens.

The period after which unused user and computer accounts become inactive varies from organization to organization, but it is usually around 15 to 30 days.

Native Method

Follow the below steps within the specific time-intervals in your organization will help you deal with these obsolete account.

Step 1: List Inactive Accounts

Execute the following commands to search the dormant accounts in the Active Directory.

  • Run the command given below in the “Command Prompt” to get a list of inactive user accounts:
    dsquery user -inactive 15
  • Run the command given below in the “Command Prompt” to get a list of inactive computer accounts:
    dsquery computer -inactive 15
Figure 1: Tracking inactive accounts

Step 2: Reset User Account Password

Perform the following steps just after listing the inactive accounts.

  • Navigate to “Start” → “Administrative Tools” → “Active Directory Users and Computers”.
  • Right-click the inactive user and click “Reset Password”.
  • Figure 2: Resetting account password
  • Enter new passwords.
  • Click “OK”.

Step 3: Disable the Inactive Accounts

The inactive accounts must be disabled within 15-60 days to prevent any further security threats, using the commands given below:

  • To disable the user accounts, run the following command in “Command Prompt”.
    dsquery user -disabled -limit 30
  • For disabling inactive computer accounts, run the following command in “Command Prompt”.
    dsquery computer -disabled -limit 30

NOTE: Here, 30 days is the inactivity period and you can change it.

Figure 3: Disabling inactive users and computers

Step 4: Move the account to an Organizational unit

After few days of disabling the accounts, these should be moved to a stand-alone organizational unit. Right-click the username, select “Move” from the context menu and move the user to a standalone Organizational Unit. You can also drag-and-drop the user and computer account to any Organizational Unit.

Step 5: Delete the inactive accounts

All the disabled inactive accounts after being moved to an organizational unit must be deleted to make sure that no one can use them at all. Execute the following commands.

  • Run the command given below to delete the disabled user accounts:
    dsquery user -inactive 50 | dsrm–noprompt
  • Run the command given below to delete disabled computer accounts:
    dsquery computer -inactive 7 | dsrm –noprompt

NOTE: Here, 50 days is the inactivity period and you can change it.

Figure 4: Deleting disabled inactive accounts

Issues with the Native Method

All these steps have to be performed manually, which consumes a lot of time and effort.Also in the absence of an automated system, the steps mentioned above are not performed automatically at scheduled intervals, creating more manual work for IT teams.

This task becomes even more complicated when dealing with hundreds of accounts, as users will need an in-depth understanding of PowerShell cmdlets to extract the required information.

LepideAuditor –Automated Solution for Inactive Accounts

Lepide Active Directory Cleaner is a simple and cost-effective solution, which enables you to detect and manage inactive accounts in Active Directory. It is an integral part of the award-winning auditing LepideAuditor. Our solution helps you get a complete list of all the obsolete accounts prevalent in your environment.

Following is a screenshot of Active Directory Cleaner settings.

Figure5: Active Directory Cleaner

After a simple configuration, these actions can be performed automatically, helping you to increase the security of your Active Directory.



Download Lepide Active Directory Cleaner

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.