Solved

old AD accounts

Posted on 2014-04-02
3
173 Views
Last Modified: 2014-04-03
aside from the obvious (i.e. ex employees still being able to access your network and data), what other risks are there in not disabling domain accounts who havent accessed your domain in say 150 days? Does this cause any other risks aside from the security issue? Is there any best practice way to handle these types of users (i.e. who may genuinely only need to access your domain very infrequently)?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 8

Accepted Solution

by:
MarkieS earned 167 total points
ID: 39971892
Hi,
If you have a client that needs to access that infrequently I would disable thier account until such time as they request access be allowed again.
I would then ask how long they want access for and set myself a follow up reminder to revoke thier access after that time.
Also bear in mind that any service that integrates with your Active Directory (Email/Web Filtering etc etc) will also still be available to your non-disabled accounts.
cheers
Mark S.
0
 
LVL 4

Assisted Solution

by:Dash Amr
Dash Amr earned 167 total points
ID: 39971908
Inactive user accounts in Active Directory could prove to be chinks in the armor if left unnoticed! That's the reason why Inactive User Report ranks among the top 10 much-sought-after security reports.

It's a good security practice to regularly comb Active Directory, find any inactive user accounts and disable/de-provision them. Since native tools, PowerShell, etc. make this task complex, This is one area, where automated Active Directory reporting and email notification system could help immensely.

Download ADManager Plus 6 .1 to Automate the Process below a 30 day trial
http://www.manageengine.com/products/ad-manager/download.html
0
 
LVL 13

Assisted Solution

by:SagiEDoc
SagiEDoc earned 166 total points
ID: 39971933
The biggest issue is disabling a users domain account that is associated with a service, the account may appear inactive but it is being used. Another issue is remote users coming in via the VPN, they will not always log onto the domain but they are using their AD accounts.
For users who require access but do not frequently access the domain I set these domain accounts to expire after say a week. When they need access they let me know and I enable the account again and move the expiry out a week. This works well depending on how many users you have that access the domain in this fashion.
For the rest of the accounts you can write  script that finds the inactive accounts, disables them and moves them to an OU, update the account description with the date the account was disabled, then after a set period of time all accounts that have not been re-enabled can be deleted.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question