unauthorized user accounts in AD

What would your definition of "unauthorized user accounts " in an AD environment? Can you provide an example of the types of accounts and parameters that would flag up such accounts? Out of interest, is there any easy way to list just for domain accounts whose passwords dont exprie - a last login date if it was >50 days ago.

So all domain accounts with password doesnt expire = yes. And last login date.

What procedures do you follow and how often to identify inappropriate user accounts?
LVL 3
pma111Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
jhyieslaConnect With a Mentor Commented:
Take a look at the DoveStones software suite; http://www.dovestones.com/

They make a suite of products for AD that allow modifications in bulk and several good reporting tools.

We do something similar to what you are suggesting to clean up individuals who have fallen through the cracks.

But as good an idea as this is, it also helps to control the front end.  We have a process in place where all new adds to AD need to go through a security request procedure; the outliers in this area are usually IT related.

Second, when a person leaves, we go through that same security procedure, which tends to hold down on this issue.  We do have partners who gain access to our network and the main thing there is that there is no good way to capture when someone leaves, so the reports that I generate catch them.
0
 
TymetwisterConnect With a Mentor Commented:
How many users are your company? If it's a small enough company you should just be able to go through and disable the accounts of those who don't work there anymore. Or is it too large?
0
 
pma111Author Commented:
To large for that, and I really want a report that can identify:

So all domain accounts with password doesnt expire = yes. And last login date (wth parameter of over 50 days).
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
pma111Author Commented:
I dont suppose you could provide a list of all ad user account mgmt reports you run to identify such. Non expiring passwords and last login was just one example Id thought of, was hoping others may chime in with others.

Ideally a free tool was my aim.
0
 
jhyieslaCommented:
I primarily look for users who have not logged in for over 60 days. Since we do pretty much control who gets in AD, I'm not as concerned about non-expiring passwords since 99.9% of our users have expiring passwords. Once I identify individuals who meet the above criteria, I check with HR to make sure there's not some HR reason they haven't logged in.

We chose this suite of products because they seemed to be full-featured and not very expensive.  You might take a look at Spiceworks:  http://www.spiceworks.com/free-active-directory-management-software/

I think this is free, but I've never used it so I can't comment on it's usefulness.
0
 
pma111Author Commented:
adfind seems a good choice to (and free)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.