With thousands of computers and user accounts there in the Active Directory network, it is a little bit difficult for AD administrators to know everything related to their activity status. Some AD accounts are created for temporary usage and most of them remain unused even after that short period. User accounts of employees who have left the organization may remain unattended likewise. Somewhat similar is the situation when an organization relies on temporary computers for short periods. Also, there can be users who regularly logon to AD through some indirect means because of convenience. All these lead to numerous unused user accounts in the Active Directory. Here we will discuss various issues related to stale AD accounts that have been inactive or unused for a long period.
What are the issues associated with stale AD accounts?
First of all, IT auditors do not like stale AD accounts! The main reason is that such accounts can be a reason for security issues. In order to meet security compliances and to keep AD environment completely safe, administrators have to disable and remove all such user accounts from time to time.
What to do with obsolete and unnecessary AD accounts?
Administrators need to clean up obsolete and unnecessary AD accounts on a regular basis. They should disable such accounts and delete them forever to meet security compliances and to eliminate the chances of security breaches. They can be moved to an Organizational Unit as well.
How to look for inactive AD accounts?
You can query for inactive users and computers using Windows PowerShell scripts. Here are the commands that one can use to find accounts that are inactive for 90 days:
Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 90
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 90
How to remove inactive user and computer accounts?
As discussed, it is advisable that one remove unused Active Directory accounts. Administrators can remove such accounts using suitable Windows PowerShell scripts.
Are there other methods for removing AD accounts?
Finding and removing inactive AD accounts can be done using professional tools. They help AD administrators to do the cleanup tasks automatically and on routine basis without using Windows PowerShell scripts. They help administrators in meeting security compliances more easily. Active Directory Cleaner such a tool.