With
thousands of computers and user accounts there in the Active
Directory network, it is a little bit difficult for AD administrators
to know everything related to their activity status. Some AD accounts
are created for temporary usage and most of them remain unused even
after that short period. User accounts of employees who have left the
organization may remain unattended likewise. Somewhat similar is the
situation when an organization relies on temporary computers for
short periods. Also, there can be users who regularly logon to AD
through some indirect means because of convenience. All these lead to
numerous unused user accounts in the Active Directory. Here we will
discuss various issues related to stale AD accounts that have been
inactive or unused for a long period.
What are the issues associated with stale AD accounts?
First of all, IT auditors
do not like stale AD accounts! The main reason is that such accounts
can be a reason for security issues. In order to meet security
compliances and to keep AD environment completely safe,
administrators have to disable and remove all such user accounts from
time to time.
What to do with obsolete and unnecessary AD accounts?
Administrators need to clean up obsolete and unnecessary AD accounts on a regular basis. They should disable such accounts and delete them forever to meet security compliances and to eliminate the chances of security breaches. They can be moved to an Organizational Unit as well.
How to look for inactive AD accounts?
You can query for
inactive users and computers using Windows PowerShell scripts. Here
are the commands that one can use to find accounts that are inactive
for 90 days:
Search-ADAccount
-AccountInactive -UsersOnly -TimeSpan 90
Search-ADAccount
-AccountInactive -ComputersOnly -TimeSpan 90
How to remove inactive user and computer accounts?
As discussed, it is
advisable that one remove unused Active Directory accounts.
Administrators can remove such accounts using suitable Windows
PowerShell scripts.
Are there other methods for removing AD accounts?
Finding and removing
inactive AD accounts can be done using professional tools. They help
AD administrators to do the cleanup tasks automatically and on
routine basis without using Windows PowerShell scripts. They help
administrators in meeting security compliances more easily. Lepide Active Directory Cleaner such a tool.
What are the advantages of Lepide Active Directory Cleaner?
Lepide Active Directory
Cleaner is an excellent tool to find inactive AD user accounts, and
to schedule the automatic cleanup of Active Directory. It allows
users to set passwords, and to disable, move, or delete inactive
accounts. It also provides reports on inactive accounts, users who
have never logged on, and last logons. Above all, its actions involve
no scripting or coding.
