Solved

old AD accounts

Posted on 2014-04-02
3
166 Views
Last Modified: 2014-04-03
aside from the obvious (i.e. ex employees still being able to access your network and data), what other risks are there in not disabling domain accounts who havent accessed your domain in say 150 days? Does this cause any other risks aside from the security issue? Is there any best practice way to handle these types of users (i.e. who may genuinely only need to access your domain very infrequently)?
0
Comment
Question by:pma111
3 Comments
 
LVL 8

Accepted Solution

by:
MarkieS earned 167 total points
ID: 39971892
Hi,
If you have a client that needs to access that infrequently I would disable thier account until such time as they request access be allowed again.
I would then ask how long they want access for and set myself a follow up reminder to revoke thier access after that time.
Also bear in mind that any service that integrates with your Active Directory (Email/Web Filtering etc etc) will also still be available to your non-disabled accounts.
cheers
Mark S.
0
 
LVL 4

Assisted Solution

by:Dash Amr
Dash Amr earned 167 total points
ID: 39971908
Inactive user accounts in Active Directory could prove to be chinks in the armor if left unnoticed! That's the reason why Inactive User Report ranks among the top 10 much-sought-after security reports.

It's a good security practice to regularly comb Active Directory, find any inactive user accounts and disable/de-provision them. Since native tools, PowerShell, etc. make this task complex, This is one area, where automated Active Directory reporting and email notification system could help immensely.

Download ADManager Plus 6 .1 to Automate the Process below a 30 day trial
http://www.manageengine.com/products/ad-manager/download.html
0
 
LVL 13

Assisted Solution

by:SagiEDoc
SagiEDoc earned 166 total points
ID: 39971933
The biggest issue is disabling a users domain account that is associated with a service, the account may appear inactive but it is being used. Another issue is remote users coming in via the VPN, they will not always log onto the domain but they are using their AD accounts.
For users who require access but do not frequently access the domain I set these domain accounts to expire after say a week. When they need access they let me know and I enable the account again and move the expiry out a week. This works well depending on how many users you have that access the domain in this fashion.
For the rest of the accounts you can write  script that finds the inactive accounts, disables them and moves them to an OU, update the account description with the date the account was disabled, then after a set period of time all accounts that have not been re-enabled can be deleted.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question