unauthorized user accounts in AD

What would your definition of "unauthorized user accounts " in an AD environment? Can you provide an example of the types of accounts and parameters that would flag up such accounts? Out of interest, is there any easy way to list just for domain accounts whose passwords dont exprie - a last login date if it was >50 days ago.

So all domain accounts with password doesnt expire = yes. And last login date.

What procedures do you follow and how often to identify inappropriate user accounts?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TymetwisterCommented:
How many users are your company? If it's a small enough company you should just be able to go through and disable the accounts of those who don't work there anymore. Or is it too large?
pma111Author Commented:
To large for that, and I really want a report that can identify:

So all domain accounts with password doesnt expire = yes. And last login date (wth parameter of over 50 days).
jhyieslaCommented:
Take a look at the DoveStones software suite; http://www.dovestones.com/

They make a suite of products for AD that allow modifications in bulk and several good reporting tools.

We do something similar to what you are suggesting to clean up individuals who have fallen through the cracks.

But as good an idea as this is, it also helps to control the front end.  We have a process in place where all new adds to AD need to go through a security request procedure; the outliers in this area are usually IT related.

Second, when a person leaves, we go through that same security procedure, which tends to hold down on this issue.  We do have partners who gain access to our network and the main thing there is that there is no good way to capture when someone leaves, so the reports that I generate catch them.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

pma111Author Commented:
I dont suppose you could provide a list of all ad user account mgmt reports you run to identify such. Non expiring passwords and last login was just one example Id thought of, was hoping others may chime in with others.

Ideally a free tool was my aim.
jhyieslaCommented:
I primarily look for users who have not logged in for over 60 days. Since we do pretty much control who gets in AD, I'm not as concerned about non-expiring passwords since 99.9% of our users have expiring passwords. Once I identify individuals who meet the above criteria, I check with HR to make sure there's not some HR reason they haven't logged in.

We chose this suite of products because they seemed to be full-featured and not very expensive.  You might take a look at Spiceworks:  http://www.spiceworks.com/free-active-directory-management-software/

I think this is free, but I've never used it so I can't comment on it's usefulness.
pma111Author Commented:
adfind seems a good choice to (and free)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.