Solved

old AD accounts

Posted on 2014-04-02
3
163 Views
Last Modified: 2014-04-03
aside from the obvious (i.e. ex employees still being able to access your network and data), what other risks are there in not disabling domain accounts who havent accessed your domain in say 150 days? Does this cause any other risks aside from the security issue? Is there any best practice way to handle these types of users (i.e. who may genuinely only need to access your domain very infrequently)?
0
Comment
Question by:pma111
3 Comments
 
LVL 8

Accepted Solution

by:
MarkieS earned 167 total points
ID: 39971892
Hi,
If you have a client that needs to access that infrequently I would disable thier account until such time as they request access be allowed again.
I would then ask how long they want access for and set myself a follow up reminder to revoke thier access after that time.
Also bear in mind that any service that integrates with your Active Directory (Email/Web Filtering etc etc) will also still be available to your non-disabled accounts.
cheers
Mark S.
0
 
LVL 4

Assisted Solution

by:Dash Amr
Dash Amr earned 167 total points
ID: 39971908
Inactive user accounts in Active Directory could prove to be chinks in the armor if left unnoticed! That's the reason why Inactive User Report ranks among the top 10 much-sought-after security reports.

It's a good security practice to regularly comb Active Directory, find any inactive user accounts and disable/de-provision them. Since native tools, PowerShell, etc. make this task complex, This is one area, where automated Active Directory reporting and email notification system could help immensely.

Download ADManager Plus 6 .1 to Automate the Process below a 30 day trial
http://www.manageengine.com/products/ad-manager/download.html
0
 
LVL 13

Assisted Solution

by:SagiEDoc
SagiEDoc earned 166 total points
ID: 39971933
The biggest issue is disabling a users domain account that is associated with a service, the account may appear inactive but it is being used. Another issue is remote users coming in via the VPN, they will not always log onto the domain but they are using their AD accounts.
For users who require access but do not frequently access the domain I set these domain accounts to expire after say a week. When they need access they let me know and I enable the account again and move the expiry out a week. This works well depending on how many users you have that access the domain in this fashion.
For the rest of the accounts you can write  script that finds the inactive accounts, disables them and moves them to an OU, update the account description with the date the account was disabled, then after a set period of time all accounts that have not been re-enabled can be deleted.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now