Monday, 30 March 2015

With thousands of computers and user accounts there in the Active Directory network, it is a little bit difficult for AD administrators to know everything related to their activity status. Some AD accounts are created for temporary usage and most of them remain unused even after that short period. User accounts of employees who have left the organization may remain unattended likewise. Somewhat similar is the situation when an organization relies on temporary computers for short periods. Also, there can be users who regularly logon to AD through some indirect means because of convenience. All these lead to numerous unused user accounts in the Active Directory. Here we will discuss various issues related to stale AD accounts that have been inactive or unused for a long period. 

What are the issues associated with stale AD accounts?

First of all, IT auditors do not like stale AD accounts! The main reason is that such accounts can be a reason for security issues. In order to meet security compliances and to keep AD environment completely safe, administrators have to disable and remove all such user accounts from time to time. 

What to do with obsolete and unnecessary AD accounts?

Administrators need to clean up obsolete and unnecessary AD accounts on a regular basis. They should disable such accounts and delete them forever to meet security compliances and to eliminate the chances of security breaches. They can be moved to an Organizational Unit as well.

How to look for inactive AD accounts?

You can query for inactive users and computers using Windows PowerShell scripts. Here are the commands that one can use to find accounts that are inactive for 90 days:

Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 90

Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 90

How to remove inactive user and computer accounts?

As discussed, it is advisable that one remove unused Active Directory accounts. Administrators can remove such accounts using suitable Windows PowerShell scripts.

Are there other methods for removing AD accounts?

Finding and removing inactive AD accounts can be done using professional tools. They help AD administrators to do the cleanup tasks automatically and on routine basis without using Windows PowerShell scripts. They help administrators in meeting security compliances more easily. Lepide Active Directory Cleaner such a tool.

What are the advantages of Lepide Active Directory Cleaner?

Lepide Active Directory Cleaner is an excellent tool to find inactive AD user accounts, and to schedule the automatic cleanup of Active Directory. It allows users to set passwords, and to disable, move, or delete inactive accounts. It also provides reports on inactive accounts, users who have never logged on, and last logons. Above all, its actions involve no scripting or coding.


Post a Comment

Subscribe to RSS Feed Lepide-Simplifying IT Management!