Inactive accounts in the Active Directory should strike fear in the hearts of IT admins. They may appear harmless as they lay dormant, unused, and inactive, but they are an open invitation for anyone looking to compromise an organization’s security.
Why Inactive Accounts are Threat to AD Security
Inactive accounts may appear docile but they can cause fatal damages to an organization, especially when they are not disabled or when they remain without password expiry limits. Outside intruders trying to hack into an organization can use these accounts as their activities will go unnoticed. Also, employees who quit the organization can misuse their login credentials to access network resources. The damage that can be done to the network depends on how skilled the intruders are, how long they are able to stay there, and how many privileges these compromised accounts have. And the attackers can have a free run if the organization does not have an effective auditing mechanism.
The Making of Inactive Accounts
Inactive accounts reveal a lot about the communication or lack of it between HR and IT departments. When new employees join the organization, the IT department provides them with new user accounts. But when they leave the organization, those accounts are not taken care of. It can happen when an employee is assigned a new role, or when an employee goes on long leave. The same can happen with computer accounts too. Also, for testing purposes and other temporary uses the IT department may create a user and computer accounts that stay open after their use is over. This is how inactive accounts are created in the AD environment.
Why You Need Inactive Account Management Policy
Organizations are usually not short of tools that can manage inactive accounts in their Active Directory. What they often lack though is a well-documented policy regarding this area. Most of the time, the IT department lacks information regarding the resignation and departure of employees. Also, no clear-cut instructions are given to them regarding the disabling or deletion of accounts. So the first thing to do is to document a policy in consultation with the HR department and the top management. The policy should encompass the following situations:
- when an employee leaves the company
- when there is a chance of an employee returning
- when an employee is on long leave
Decisions on following matters are also required:
- whether the accounts will be deleted directly, or after disabling them for sometime
- the waiting time before deleting the account permanently
- monitoring and auditing of inactive accounts
- use of professional Active Directory cleanup solutions like Lepide Active Directory Cleaner
How to Manage Inactive Active Directory Accounts
Removal of inactive accounts is essential for the security of the Active Directory. However, it is better to keep such accounts disabled for some time before deleting them. When employees leave the organization or when they take a long to leave, it is recommended to disable their user accounts. All the disabled accounts can be moved to a single OU and linked to it a GPO that curtails all accesses and privileges. Make sure that the accounts are removed from all group memberships. After a certain period, user accounts of employees who have left the organization can be deleted forever. It is a good practice to keep the HR department informed and up-to-speed with deletion activities. Another important suggestion is to enable the Active Directory Recycle Bin so that the accounts (along with all their attributes) can be restored (till they are cleared from the recycle bin). Check out some best practices for managing inactive AD accounts.
How Lepide Helps
Active Directory features are the best bet for manually disabling and deleting unused accounts but they are effective only when the AD environment is small. If the requirements are complex, one can rely on PowerShell script or automated Active Directory cleanup solutions like Lepide Active Directory Cleaner. Lepide Active Directory Cleaner helps to make the AD environment clean and lean by resetting the password, deleting, disabling and moving inactive user and computer accounts to another OU. It also helps to generate reports on inactive accounts in the network and schedule the cleanup actions. The advantage is that it saves the resources, time, and effort required to manage inactive accounts.
Manage Inactive AD Accounts with Lepide Active Directory Cleaner
x
Or Deploy With Our Virtual Appliance
FAQs
Outside intruders trying to hack into an organization can use these accounts as their activities will go unnoticed. Also, employees who quit the organization can misuse their login credentials to access network resources.
What are the security risks of inactive accounts? ›
This can lead to various malicious activities, such as unauthorised transactions, identity theft, manipulation of personal data, or spreading malware. Leaked credentials can harm an individual's or organisation's reputation.
What is inactive account in Active Directory? ›
One key identifier for inactive accounts is that they haven't been used for a while to sign in to your environment. Because inactive accounts are tied to the sign-in activity, you can use the timestamp of the last time an account attempted to sign in to detect inactive accounts.
Why should I disable inactive accounts? ›
Description Inactive user accounts that remain in the system can be a security risk. If these accounts have not been properly deactivated or removed, they may become a target for unauthorized access or exploitation by malicious actors.
Do hackers target inactive accounts? ›
Inactive accounts that haven't been accessed for extended periods are more likely to be compromised due to password reuse and lack of multifactor authentication.
What happens to inactive accounts? ›
When you don't use your Google Account within a 2-year period, it's then deemed inactive, and all of its content and data can be deleted. Before this happens, you have the opportunity to take action in your account when Google sends you: Email notifications to your Google Account.
Why is a dormant account risky? ›
Dormant accounts (usually checking or savings accounts) are those that have had no activity for a lengthy period. These accounts are considered sensitive in nature because they are more likely to be the target of embezzlement due to limited—or lack of—monitoring by the customer or member.
What happens when an Active Directory account expires? ›
It means the account cannot logon starting the day after the expiry date. The password is unaffected. The password will be the same after the account is unlocked. As soon as an administrator removes or extends the expiry date, the account can be used again.
How to identify inactive computer accounts in Active Directory? ›
In Active Directory Module for Windows PowerShell, Search-ADAccount –AccountInactive –UsersOnly command returns all inactive user accounts. Use the -DateTime or -TimeSpan switches to narrow down the date on which the computer last logged on. Note: Lastlogontimestamp is not replicated every time somebody logs on.
Why do Active Directory accounts get disabled? ›
An incorrect change to system configuration can accidentally disable a user in Active Directory. Disabled users in Active Directory may be unable to access critical resources such as email, files and SharePoint, disrupting the seamless flow of operations.
A social media tool like Sked Social or a banking app might consider users “dormant” if they've been inactive for 30 days. A fitness or food-tracking app may define “inactive users” as those who haven't logged in for over a week.
Which accounts are most desired by hackers? ›
Hackers often go after financial institutions because of the opportunity to gain access to personal financial information. Additionally, they may try to gain access to accounts such as credit cards or investment portfolios.
What accounts are most likely to be hacked? ›
Facebook, Instagram and Spotify Among the Accounts Most Targeted by Hackers.
Should you delete old email accounts? ›
Deleting old digital accounts you no longer use is important for your online privacy and security, and here's why: With every online account (yes, even old and 'insignificant' accounts), you continuously enrich your digital footprint, leaving behind a significant source of data for third parties to access and exploit.
What are the disadvantages of a dormant bank account? ›
If you ignore your savings bank account and let it become dormant, you'll face limitations. You won't be able to write checks, renew your ATM/debit card, change your address on file, or perform any transactions through ATM, internet banking , or phone banking.
What happens if a bank account is inactive for 10 years? ›
According to the RBI regulations, if a bank account remains inoperative for a period of 10 years, the money can be transferred to DEAF. An account is considered dormant or inoperative if there has been no transaction (apart from interest credited or maintenance fees charged) for a period of two years.
What happens if my bank account is inactive for 5 years? ›
An inactive account cannot be used to avail bank services like internet banking, request debit cards/cheque books, etc. Furthermore, you will be unable to alter your contact number, address, or email address if your account becomes dormant.
