Regularly check for and remove inactive user accounts in the Active Directory
Why Consider this
More than 10 percent of user accounts in Active Directory have been detected as inactive (stale), based on the last time the password was changed or user's last logon timestamp. Stale user accounts in Active Directory are a significant security risk since they could be used by an attacker or a former employee. These inactive accounts also consume reclaimable database space.
Watch a Customer Engineer explaining the issue
Context & Best Practices
Active Directory contains an account for every user. Over time, users leave the organization and those user accounts may not get removed from Active Directory. Stale user accounts are a significant security issue, as former employees and external attackers could use those accounts to attack the organization. Stale accounts also use up space in the directory database that could be reclaimed.
User accounts have an attribute called PasswordLastSet, which records the last time a user changed his or her password. Because PasswordLastSet is a replicated attribute, only one domain controller in each domain has to be queried.
Windows Server 2003 introduced a new attribute called lastLogonTimeStamp to assist in identifying potentially stale accounts. This attribute activates in domain set to Windows Server 2003, Windows Server 2008, Windows Server 2008R2, Windows Server 2012 or Windows Server 2012R2 functional level. Unlike the lastLogon attribute, which has been available since Windows NT 4.0, lastLogonTimeStamp is replicated every time it is updated. Querying this attribute is more convenient since only one domain controller in each domain must be queried.
To find the accounts, run a script that queries Active Directory for inactive user accounts. In Active Directory Module for Windows PowerShell, Search-ADAccount –AccountInactive –UsersOnly command returns all inactive user accounts. Use the -DateTime or -TimeSpan switches to narrow down the date on which the computer last logged on.
Note: Lastlogontimestamp is not replicated every time somebody logs on. See Understanding the AD Account attributes - LastLogon, LastLogonTimeStamp and LastLogonDate, at https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx.
Dealing with stale user accounts often comes down to implementing effective deprovisioning processes. However, it is possible that users might be unable to work and therefore not log on for an extended period. Also, service accounts might not log on for extended periods. In consequence, you should incorporate multiple checks and have safeguards in place to help prevent disabling or deleting accounts that are still in use.
Suggested Actions
You should carry out regular checks to look for any user accounts that have not changed their passwords the last six months, and then disable and remove those accounts from Active Directory.
Run a script in each domain that queries Active Directory for user accounts where the password age is over a certain time. In Active Directory Module for Windows PowerShell, run the following script to list the user accounts where the password has not changed in the last six months.
$d = [DateTime]::Today.AddDays(-180)
Get-ADUser -Filter '(PasswordLastSet -lt $d) -or (LastLogonTimestamp -lt $d)' -Properties PasswordLastSet,LastLogonTimestamp | ft Name,PasswordLastSet,@{N="LastLogonTimestamp";E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}
After stale accounts are identified, it is recommended to disable those user accounts, wait several weeks, and then delete the accounts if no issues have been reported.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for