Using Lepide Active Directory Cleaner to Mange Inactive User and Computer Accounts in AD

by Danny Murphy

Would you be happy to live in a messy house? I know I wouldn’t. Active Directory is essentially the home of your IT infrastructure. Large pools of inactive user and computer accounts lurking in the system can clutter your Active Directory. But it’s more than that. These dormant accounts can act as a backdoor for hackers to get inside the system and extract sensitive data. It’s very difficult to detect this kind of access as they are using accounts that have legitimate access to this data. Surprisingly, in a lot of organizations, inactive user and computer accounts accumulate when employees leave the business and are not deactivated. This needs to change!

 

How to Handle Inactive User and Computer Accounts

When dealing with inactive accounts, a good place to start is to disable any account that no-one has logged into for 90 days (or a minimum duration of your choice). You can also move all inactive accounts into a single Organizational Unit and delete them from there.

Accounts with Administrative privileges are going to be the primary target of for hackers. Such accounts need to be removed as quickly as possible, when they become inactive, to prevent this from happening.

All of this can be done manually. However, it’s a very time consuming and manual process. If speed and automation are more your style, then solutions, such as Lepide Active Directory Cleaner (part of Lepide Data Security Platform), should be your first port of call. Lepide Active Directory Cleaner automatically searches and cleans up inactive accounts that would otherwise go by unnoticed.

Lepide Active Directory Cleaner

  • Automate routine jobs; such as disabling and moving inactive accounts to another Organizational Unit, resetting passwords and deleting them altogether.
  • Cover a broad range of reporting; such as real last logons, users that have never logged on, inactive computers and more.
  • Ensure Active Directory security by scheduling periodic clean-up tasks.
  • Discover a user-friendly interface which notifies on inactive user and computer accounts over the last 30, 60 or 90 days.

Cool, isn’t it? Let’s see how easy it is to configure Active Directory Cleaner and track inactive user and computer accounts in your domain.

Learn how to configure Active Directory Cleaner

  1. Open Lepide Data Security Platform
  2. Go to “Settings”, right-click on any domain node and click “Properties” in the context menu.
  3. In the “Properties” window, click “Advanced Domain Configuration” in the left panel to access the advanced settings.
    Figure 1: Advanced Domain Configuration
  4. Check “Active Directory Cleaner” and then click the accompanying tools icon.
  5. To obtain reports on inactive user and computer accounts, you are required to configure the settings to receive notifications and set cleanup actions.
    Figure 2: Active Directory Cleaner Settings
    • Select OU: Here, you can select one or more “Organizational Units” from a list.
    • Set Time to Perform Actions/ Send Notifications : Configure time settings to obtain reports and notifications.
    • Notification Settings: Here, you can select “Sender’s Email Account” to select an existing Email Account or add another account by clicking Plus button. You have to provide the email addresses of the recipients to whom you want to send the notifications.
    • Action Settings : Here in, you can select any of the action templates. Also, you can add, edit or remove an action template.
      Figure 3: Action Template Settings
    • Under Action Template, we can select action template type, template name, account type, and exclude accounts. There is also an option to add account type in the exclude accounts list. In addition to this, you can configure the number of days for each of the following:
      • Set Random Password After
      • Disable Account After
      • Move to OU After
      • Delete Account After
    • If you want daily reports of inactive accounts, click the checkbox to select it. Here in, you can set the account inactivity period in days and also select the Email template. Also, you can add, edit or remove the Email template.
    • Click “Apply” and “OK” to apply the settings to close “Active Directory Cleaner” window.

Once, you have configured the Active Directory Cleaner Settings; you can now view reports on inactive user and computer accounts using this single integrated console.

The Audit Reports of Active Directory Cleaner

  • Inactive Users: Displays the list of all inactive users.
    Figure 4: Inactive User Report
  • Inactive Computers: Displays the list of all inactive computers.
  • Never Logged on Users: Shows the list of all users who have never logged on.
  • Never Logged on Computers: Shows the list of all computers on which no user has never logged on.
  • Real Last Logon Users: Shows real last logon details of the user accounts.
  • Real Last Logon Computers: Displays the list of real last logon on computer accounts.
  • Action Performed on Users: Presents the action performed on the inactive user accounts.
  • Action Performed on Computers: Shows the action performed on the inactive computer accounts.

Conclusion

With Active Directory Cleaner (a component of Lepide Data Security Platform), you can keep track of all inactive user and computer accounts easily from an automated and centralized console. Download the free trial to try it for yourself.

Download Lepide Active Directory Cleaner