In organizations comprising of thousands, or even hundreds of thousands of Active Directory accounts and computer objects, how could you know if a particular account is inactive? Even if you knew that, what would you do once such accounts and objects are identified? User and computer accounts can become obsolete for many reasons; including long leaves or employees quitting an organization. Disabling and removing unused or stale user and computer accounts in your organization, helps to keep Active Directory safe and secure from insider attacks. This article explains the steps to handle inactive accounts by using both native methods and LepideAuditor, a comprehensive auditing solution.
If inactive accounts pile up in Active Directory, it becomes difficult for administrators to manage them. Therefore, it is important that administrators keep track of these inactive accounts at all times. IT Administrators are supposed to have a well-defined plan that defines when an unused user or computer becomes an inactive one, and what actions are to be taken once that happens.
The period after which unused user and computer accounts become inactive varies from organization to organization, but it is usually around 15 to 30 days.
Follow the below steps within the specific time-intervals in your organization will help you deal with these obsolete account.
Step 1: List Inactive Accounts
Execute the following commands to search the dormant accounts in the Active Directory.
- Run the command given below in the “Command Prompt” to get a list of inactive user accounts:
dsquery user -inactive 15
- Run the command given below in the “Command Prompt” to get a list of inactive computer accounts:
dsquery computer -inactive 15
Step 2: Reset User Account Password
Perform the following steps just after listing the inactive accounts.
- Navigate to “Start” → “Administrative Tools” → “Active Directory Users and Computers”.
- Right-click the inactive user and click “Reset Password”.
- Enter new passwords.
- Click “OK”.
Step 3: Disable the Inactive Accounts
The inactive accounts must be disabled within 15-60 days to prevent any further security threats, using the commands given below:
- To disable the user accounts, run the following command in “Command Prompt”.
dsquery user -disabled -limit 30
- For disabling inactive computer accounts, run the following command in “Command Prompt”.
dsquery computer -disabled -limit 30
NOTE: Here, 30 days is the inactivity period and you can change it.
Step 4: Move the account to an Organizational unit
After few days of disabling the accounts, these should be moved to a stand-alone organizational unit. Right-click the username, select “Move” from the context menu and move the user to a standalone Organizational Unit. You can also drag-and-drop the user and computer account to any Organizational Unit.
Step 5: Delete the inactive accounts
All the disabled inactive accounts after being moved to an organizational unit must be deleted to make sure that no one can use them at all. Execute the following commands.
- Run the command given below to delete the disabled user accounts:
dsquery user -inactive 50 | dsrm–noprompt
- Run the command given below to delete disabled computer accounts:
dsquery computer -inactive 7 | dsrm –noprompt
NOTE: Here, 50 days is the inactivity period and you can change it.
Issues with the Native Method
All these steps have to be performed manually, which consumes a lot of time and effort.Also in the absence of an automated system, the steps mentioned above are not performed automatically at scheduled intervals, creating more manual work for IT teams.
This task becomes even more complicated when dealing with hundreds of accounts, as users will need an in-depth understanding of PowerShell cmdlets to extract the required information.
LepideAuditor –Automated Solution for Inactive Accounts
Lepide Active Directory Cleaner is a simple and cost-effective solution, which enables you to detect and manage inactive accounts in Active Directory. It is an integral part of the award-winning auditing LepideAuditor. Our solution helps you get a complete list of all the obsolete accounts prevalent in your environment.
Following is a screenshot of Active Directory Cleaner settings.
After a simple configuration, these actions can be performed automatically, helping you to increase the security of your Active Directory.
- How to identify the source of Account Lockouts in Active Directory
- How to Audit Successful Logon/Logoff and Failed Logons in Active Directory
- How to enable the Security Auditing of Active Directory
- How to track changes made in Active Directory
- How to delegate rights to “Unlock account”
- How to track Privileged Users' Activities in Active Directory