Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

unauthorized user accounts in AD

Posted on 2012-03-15
6
Medium Priority
?
397 Views
Last Modified: 2012-06-27
What would your definition of "unauthorized user accounts " in an AD environment? Can you provide an example of the types of accounts and parameters that would flag up such accounts? Out of interest, is there any easy way to list just for domain accounts whose passwords dont exprie - a last login date if it was >50 days ago.

So all domain accounts with password doesnt expire = yes. And last login date.

What procedures do you follow and how often to identify inappropriate user accounts?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 8

Assisted Solution

by:Tymetwister
Tymetwister earned 800 total points
ID: 37724199
How many users are your company? If it's a small enough company you should just be able to go through and disable the accounts of those who don't work there anymore. Or is it too large?
0
 
LVL 3

Author Comment

by:pma111
ID: 37724237
To large for that, and I really want a report that can identify:

So all domain accounts with password doesnt expire = yes. And last login date (wth parameter of over 50 days).
0
 
LVL 28

Accepted Solution

by:
jhyiesla earned 1200 total points
ID: 37724284
Take a look at the DoveStones software suite; http://www.dovestones.com/

They make a suite of products for AD that allow modifications in bulk and several good reporting tools.

We do something similar to what you are suggesting to clean up individuals who have fallen through the cracks.

But as good an idea as this is, it also helps to control the front end.  We have a process in place where all new adds to AD need to go through a security request procedure; the outliers in this area are usually IT related.

Second, when a person leaves, we go through that same security procedure, which tends to hold down on this issue.  We do have partners who gain access to our network and the main thing there is that there is no good way to capture when someone leaves, so the reports that I generate catch them.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 3

Author Comment

by:pma111
ID: 37724312
I dont suppose you could provide a list of all ad user account mgmt reports you run to identify such. Non expiring passwords and last login was just one example Id thought of, was hoping others may chime in with others.

Ideally a free tool was my aim.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 37724350
I primarily look for users who have not logged in for over 60 days. Since we do pretty much control who gets in AD, I'm not as concerned about non-expiring passwords since 99.9% of our users have expiring passwords. Once I identify individuals who meet the above criteria, I check with HR to make sure there's not some HR reason they haven't logged in.

We chose this suite of products because they seemed to be full-featured and not very expensive.  You might take a look at Spiceworks:  http://www.spiceworks.com/free-active-directory-management-software/

I think this is free, but I've never used it so I can't comment on it's usefulness.
0
 
LVL 3

Author Comment

by:pma111
ID: 37724552
adfind seems a good choice to (and free)
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question