When employees leave organizations, their user accounts often remain in Active Directory (AD) without gathering much attention. The passwords on these accounts remain unchanged when no longer in use, which could lead to potential compromise. For optimum security, enterprises should always ensure that inactive or obsolete user accounts are protected or, better yet, deleted.
Microsoft allows administrators to track down inactive users with the Saved Queries feature of the native AD Users and Computers (ADUC) tool. Administrators can create a saved query and define the period of inactivity for users based on the number of days since the last logon, as shown in Figure 1.
Figure 1. Microsoft’s saved query to list inactive users.
From the obtained list of inactive users, administrators can perform tasks such as Disable Account, Reset Account, and Move for individual users. However, the tasks you can perform for bulk user modification are limited. See Figure 2 below. There’s also no way to automate the generation of reports or schedule their delivery to your mailbox.
Figure 2. Actions that can be performed on inactive user accounts using native tools.
An ideal solution would allow administrators to:
- Generate the Inactive Users report on users who have not logged in for a specific number of days. See Figure 3.
- Export reports in easy-to-use formats to the administrators or managers that need to take suitable action, including disabling, moving, and deleting users. See Figure 4.
- Schedule reports to automatically generate on a daily or weekly basis, and have them delivered to your email.
- Automate routine tasks; you should be able to configure a policy that will fetch the inactive user accounts from the Inactive Users report, and automatically move them to a separate OU where they’ll be disabled and subsequently deleted at the end of the month. See Figure 5.
Figure 3. Generating the Inactive Users report in ADManager Plus.
Unfortunately, ADUC can’t help with all the tasks mentioned above. But ADManager Plus can. Using ADManager, administrators can perform actions on multiple user accounts at once right from the report, instead of performing the same action multiple times for each individual user account. Administrators can also reset passwords for multiple users at once from within the report. By scheduling and automating the cleanup of inactive users, administrators can focus on more important tasks.
Figure 4. Performing bulk modification to user accounts in ADManager Plus.
Figure 5. Configuring an automation policy in ADManager Plus.
Summary
Microsoft does not offer an automated way of cleaning up stale accounts in AD, but by using ADManager Plus, you can automate crucial routine tasks like deleting inactive user accounts. You can also configure a sequence of tasks to be executed on a specific schedule.
Download a free, 30-day trial of ADManager Plus to see how it works in your environment.
** Optrics Inc. is an Authorized ManageEngine partner
The original article can be found here: