old AD accounts

aside from the obvious (i.e. ex employees still being able to access your network and data), what other risks are there in not disabling domain accounts who havent accessed your domain in say 150 days? Does this cause any other risks aside from the security issue? Is there any best practice way to handle these types of users (i.e. who may genuinely only need to access your domain very infrequently)?
LVL 3
pma111Asked:
Who is Participating?
 
MarkieSConnect With a Mentor Commented:
Hi,
If you have a client that needs to access that infrequently I would disable thier account until such time as they request access be allowed again.
I would then ask how long they want access for and set myself a follow up reminder to revoke thier access after that time.
Also bear in mind that any service that integrates with your Active Directory (Email/Web Filtering etc etc) will also still be available to your non-disabled accounts.
cheers
Mark S.
0
 
Dash AmrConnect With a Mentor Senior Specialist(PM)Commented:
Inactive user accounts in Active Directory could prove to be chinks in the armor if left unnoticed! That's the reason why Inactive User Report ranks among the top 10 much-sought-after security reports.

It's a good security practice to regularly comb Active Directory, find any inactive user accounts and disable/de-provision them. Since native tools, PowerShell, etc. make this task complex, This is one area, where automated Active Directory reporting and email notification system could help immensely.

Download ADManager Plus 6 .1 to Automate the Process below a 30 day trial
http://www.manageengine.com/products/ad-manager/download.html
0
 
Brett DanneyConnect With a Mentor IT ArchitectCommented:
The biggest issue is disabling a users domain account that is associated with a service, the account may appear inactive but it is being used. Another issue is remote users coming in via the VPN, they will not always log onto the domain but they are using their AD accounts.
For users who require access but do not frequently access the domain I set these domain accounts to expire after say a week. When they need access they let me know and I enable the account again and move the expiry out a week. This works well depending on how many users you have that access the domain in this fashion.
For the rest of the accounts you can write  script that finds the inactive accounts, disables them and moves them to an OU, update the account description with the date the account was disabled, then after a set period of time all accounts that have not been re-enabled can be deleted.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.