Solved

unauthorized user accounts in AD

Posted on 2012-03-15
6
396 Views
Last Modified: 2012-06-27
What would your definition of "unauthorized user accounts " in an AD environment? Can you provide an example of the types of accounts and parameters that would flag up such accounts? Out of interest, is there any easy way to list just for domain accounts whose passwords dont exprie - a last login date if it was >50 days ago.

So all domain accounts with password doesnt expire = yes. And last login date.

What procedures do you follow and how often to identify inappropriate user accounts?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 8

Assisted Solution

by:Tymetwister
Tymetwister earned 200 total points
ID: 37724199
How many users are your company? If it's a small enough company you should just be able to go through and disable the accounts of those who don't work there anymore. Or is it too large?
0
 
LVL 3

Author Comment

by:pma111
ID: 37724237
To large for that, and I really want a report that can identify:

So all domain accounts with password doesnt expire = yes. And last login date (wth parameter of over 50 days).
0
 
LVL 28

Accepted Solution

by:
jhyiesla earned 300 total points
ID: 37724284
Take a look at the DoveStones software suite; http://www.dovestones.com/

They make a suite of products for AD that allow modifications in bulk and several good reporting tools.

We do something similar to what you are suggesting to clean up individuals who have fallen through the cracks.

But as good an idea as this is, it also helps to control the front end.  We have a process in place where all new adds to AD need to go through a security request procedure; the outliers in this area are usually IT related.

Second, when a person leaves, we go through that same security procedure, which tends to hold down on this issue.  We do have partners who gain access to our network and the main thing there is that there is no good way to capture when someone leaves, so the reports that I generate catch them.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 3

Author Comment

by:pma111
ID: 37724312
I dont suppose you could provide a list of all ad user account mgmt reports you run to identify such. Non expiring passwords and last login was just one example Id thought of, was hoping others may chime in with others.

Ideally a free tool was my aim.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 37724350
I primarily look for users who have not logged in for over 60 days. Since we do pretty much control who gets in AD, I'm not as concerned about non-expiring passwords since 99.9% of our users have expiring passwords. Once I identify individuals who meet the above criteria, I check with HR to make sure there's not some HR reason they haven't logged in.

We chose this suite of products because they seemed to be full-featured and not very expensive.  You might take a look at Spiceworks:  http://www.spiceworks.com/free-active-directory-management-software/

I think this is free, but I've never used it so I can't comment on it's usefulness.
0
 
LVL 3

Author Comment

by:pma111
ID: 37724552
adfind seems a good choice to (and free)
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question