?
Solved

unauthorized user accounts in AD

Posted on 2012-03-15
6
Medium Priority
?
401 Views
Last Modified: 2012-06-27
What would your definition of "unauthorized user accounts " in an AD environment? Can you provide an example of the types of accounts and parameters that would flag up such accounts? Out of interest, is there any easy way to list just for domain accounts whose passwords dont exprie - a last login date if it was >50 days ago.

So all domain accounts with password doesnt expire = yes. And last login date.

What procedures do you follow and how often to identify inappropriate user accounts?
0
Comment
Question by:pma111
  • 3
  • 2
6 Comments
 
LVL 8

Assisted Solution

by:Tymetwister
Tymetwister earned 800 total points
ID: 37724199
How many users are your company? If it's a small enough company you should just be able to go through and disable the accounts of those who don't work there anymore. Or is it too large?
0
 
LVL 3

Author Comment

by:pma111
ID: 37724237
To large for that, and I really want a report that can identify:

So all domain accounts with password doesnt expire = yes. And last login date (wth parameter of over 50 days).
0
 
LVL 28

Accepted Solution

by:
jhyiesla earned 1200 total points
ID: 37724284
Take a look at the DoveStones software suite; http://www.dovestones.com/

They make a suite of products for AD that allow modifications in bulk and several good reporting tools.

We do something similar to what you are suggesting to clean up individuals who have fallen through the cracks.

But as good an idea as this is, it also helps to control the front end.  We have a process in place where all new adds to AD need to go through a security request procedure; the outliers in this area are usually IT related.

Second, when a person leaves, we go through that same security procedure, which tends to hold down on this issue.  We do have partners who gain access to our network and the main thing there is that there is no good way to capture when someone leaves, so the reports that I generate catch them.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:pma111
ID: 37724312
I dont suppose you could provide a list of all ad user account mgmt reports you run to identify such. Non expiring passwords and last login was just one example Id thought of, was hoping others may chime in with others.

Ideally a free tool was my aim.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 37724350
I primarily look for users who have not logged in for over 60 days. Since we do pretty much control who gets in AD, I'm not as concerned about non-expiring passwords since 99.9% of our users have expiring passwords. Once I identify individuals who meet the above criteria, I check with HR to make sure there's not some HR reason they haven't logged in.

We chose this suite of products because they seemed to be full-featured and not very expensive.  You might take a look at Spiceworks:  http://www.spiceworks.com/free-active-directory-management-software/

I think this is free, but I've never used it so I can't comment on it's usefulness.
0
 
LVL 3

Author Comment

by:pma111
ID: 37724552
adfind seems a good choice to (and free)
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question