The Security Threat of Inactive Accounts
Inactive user and computer accounts not only clutter up your system, but they also pose serious security threats. Hackers frequently target unused or disabled accounts to gain access into your network.
Deactivating and Deleting Accounts
When employees leave the company, it is imperative that you disable the account immediately, and keep it disabled for a period of time decided upon by your organization. If you decide that the period of time is six months for example, you should permanently delete the account after six months. However, the period of time between disabling the account and deletion may need to be decided on an individual basis. If there is a reasonable chance that the employee may return to work (after a leave of absence for example), then keep the account disabled for that specific amount of time.
Note: We've recently reviewed a Solid tool called Access Rights Manager that can do all this for you from a central Dashboard. Check out our post on it and give it a try to see if it aligns with your needs.
Tools for Account Management
Before permanently deleting an account, it is best practice to export the information so that you can view it at a later time if needed. A quick and easy way to manage Active Directory cleanup is to use SolarWinds Admin Bundle for Active Directory for this purpose.
Follow these steps to clean up user and computer accounts.
User Account Removal Tool
- Download and Install the AD Admin Tool Bundle from HERE.
- After downloading and launching the tool,
select the User Account Removal Tool.
- Enter your Credential information and test those credentials by clicking the Test button – (Make sure the user you are testing has the correct Privileges for Removing Users/Accounts from Active Directory – a Domain Administrator account should suffice.)Then click Next to list the accounts.
- The next screen will populate with all your Active Directory User accounts. You can then change the date by clicking on the down arrow in the date field:
You can also filter to select or deselect accounts. Type the filter into the Filter Field next to the date and time field as seen below:
- Select the Accounts that you want to remove by clicking the checkbox next to them.As you may have seen, there is an Export button if you would like to keep a list of accounts for your Records.Click the Export button on the bottom to export the list to a file.You can then select which columns you would like to export, including “Display Name”, “Last Logon” and “Directory Entry Path”, as seen below:
- Finally, if you've exported out the accounts in question or not, you can simply click Remove to remove the accounts from the Active Directory.
Removing Computer Accounts
To remove inactive computer accounts, follow the same procedure, except select the Inactive Computer Removal Tool this time.
- Again, enter your credentials and click the Test button to test them. Click Next.
- A list of computers will display.
- You can export the list by clicking the Export button.
- You can remove them by clicking the Remove button. You can also filter them by typing a filter into the filter search field as well if needed.
Following the above procedure is a quick and easy way to keep inactive accounts from cluttering up your directory.
In addition, the software has the functionality to view Last Login Time of Users (by exporting out the information using the EXPORT feature) and the ability to Bulk Import Users.
These features serve you well in knowing when users have last accessed your system, in addition to providing a simple way to import many users in a single session.
While you can use Windows PowerShell and other tools for active directory clean-up, SolarWinds free tool provides a much better GUI while being very simple to use.
It is an easy way to perform Active Directory cleanup to not only keep your system tidy, but also ensure your environment doesn't have any accounts/computers floating around that could be used for malicious intents.