Solved

old AD accounts

Posted on 2014-04-02
3
161 Views
Last Modified: 2014-04-03
aside from the obvious (i.e. ex employees still being able to access your network and data), what other risks are there in not disabling domain accounts who havent accessed your domain in say 150 days? Does this cause any other risks aside from the security issue? Is there any best practice way to handle these types of users (i.e. who may genuinely only need to access your domain very infrequently)?
0
Comment
Question by:pma111
3 Comments
 
LVL 8

Accepted Solution

by:
MarkieS earned 167 total points
ID: 39971892
Hi,
If you have a client that needs to access that infrequently I would disable thier account until such time as they request access be allowed again.
I would then ask how long they want access for and set myself a follow up reminder to revoke thier access after that time.
Also bear in mind that any service that integrates with your Active Directory (Email/Web Filtering etc etc) will also still be available to your non-disabled accounts.
cheers
Mark S.
0
 
LVL 4

Assisted Solution

by:Dash Amr
Dash Amr earned 167 total points
ID: 39971908
Inactive user accounts in Active Directory could prove to be chinks in the armor if left unnoticed! That's the reason why Inactive User Report ranks among the top 10 much-sought-after security reports.

It's a good security practice to regularly comb Active Directory, find any inactive user accounts and disable/de-provision them. Since native tools, PowerShell, etc. make this task complex, This is one area, where automated Active Directory reporting and email notification system could help immensely.

Download ADManager Plus 6 .1 to Automate the Process below a 30 day trial
http://www.manageengine.com/products/ad-manager/download.html
0
 
LVL 13

Assisted Solution

by:SagiEDoc
SagiEDoc earned 166 total points
ID: 39971933
The biggest issue is disabling a users domain account that is associated with a service, the account may appear inactive but it is being used. Another issue is remote users coming in via the VPN, they will not always log onto the domain but they are using their AD accounts.
For users who require access but do not frequently access the domain I set these domain accounts to expire after say a week. When they need access they let me know and I enable the account again and move the expiry out a week. This works well depending on how many users you have that access the domain in this fashion.
For the rest of the accounts you can write  script that finds the inactive accounts, disables them and moves them to an OU, update the account description with the date the account was disabled, then after a set period of time all accounts that have not been re-enabled can be deleted.
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now