Many Exchange administrators are very much aware of the security threats posed by unused or stale AD accounts-both user accounts and computer accounts. In order to keep the AD environment safe and secure, it is essential to disable and remove them without fail. For this reason, IT auditors lay special emphasis on stale or inactive accounts. Also, removing such accounts is necessary to meet security compliance.
Here comes some very important questions—how do you know if an account is inactive or not? How to identify such accounts easily? And what do with such accounts once they are identified? Many AD administrators are in search of some user-friendly tools that almost automate the process of finding and removing unused accounts. AD cleanup tools like Active Directory Cleaner are widely used for managing stale user accounts and computer accounts.
How to find if an account is unused?
There are some attributes that help you decide if an AD user account or computer account is active or inactive. These attributes are LastLogon and LastLogonTimeStamp.
- LastLogon
LastLogon indicates the last logon time of the user or computer account. This attribute is recorded only in event log of the Domain Controller that authorizes the logon. This information is not replicated to other Domain Controllers.
- LastLogonTimeStamp
LastLogonTimeStamp is intended to find inactive user and computer accounts. This is an approximated value and may not necessarily reflect the real logon time of the user. However, this information is replicated across all Domain Controllers (in every 9-14 days). This attribute is available on Windows Server 2003and later versions.
Finding stale user and computer accounts
The LastLogon is the real last logon time of the computer or user account. But as this information is available only on the computer that authorizes the access, one will have to check all the Domain Controllers and use the latest logon time to decide if the account is inactive or not.
To decide whether an account is unused or not, LastLogonTimeStamp is more helpful as this is replicated on all DCs. All the logon events of a user or computer can be taken from a single Domain Controller.
How to find LastLogon time from a Domain Controller?
It is quite easy to check the LastLogon time from a Domain Controller.
- Launch Users and Computers snap-in from Microsoft Management Console (MMC).
- Go to View menu and enable Advanced Features.
- Now select Users or Computers from the domain.
- Select the required user or computer and click Properties form the right-click menu.
- Scroll and find LastLogon attribute, and note its value.How to find LastLogonTimeStamp?In a similar way you can find the value of LastLogonTimeStamp attribute too.
How to manage inactive or stale User and Computer accounts?
Administrators can disable stale user accounts and delete them forever. If there are many such inactive accounts, moving them all to a single organizational unit before disabling and deleting them will be more convenient.
Checking LastLogonTimeStamp Attribute helps you find inactive and stale accounts. You can disable and delete such accounts manually from Microsoft Management Console (MMC) itself.
How to disable an Active Directory User or Computer account?
When an employee leaves the organization, usually his or her account is first disabled. Later after a fixed time period it is deleted. You can do it from the Active Directory Users and Computers. Disabling the account is suggested as it allows administrators to study the consequences if there are any.
How to delete a User or Computer account?
User or Computer account can be deleted from the Active Directory Users and Computers.
Is it feasible to find and remove inactive accounts manually?
Active Directory administrators do not think that it is feasible to identify and remove stale accounts manually. Though they can try Windows PowerShell scripts for the same, the process is a little complex and is viable only for adept scripting guys. However, professional tools Active Directory Cleaner (LADC) are considered the best option for managing inactive accounts. LADC helps you find inactive accounts, get detailed information about them, and also to disable, delete, or move them to another OU.