The world's most trusted forum on Active Directory Security
I was looking for some recommendations on what is the best way to manage stale domain user accounts? Should one disable them (just to be safe) and then enable them on a need basis, or should one let them be, and just monitor them on a periodic basis?
I ask because we may have quite a few stale domain user accounts, because some of our employees are on long leaves (maternity, furlows etc.) and so we do have quite a few stale accounts.
The thing is that every now and then, some of these user accoutn holders would login to check their email and all, and so if we disable their accounts, that results in an additional ticket for us increasing our workload.
I'm sure many of you would have encountered this issue as well, and so I thought I'd ask to see if you had any recommendations that you would like to share?
Thank you in advance.
Never try to solve a problem on a Friday night. It can spoil your weekend :-)
This is a painful process that every ID management team has to go through. Though smarter ways have evolved for handling such scenarios.
An ideal way would be to disable an account if it has not been used to logon to the domain for "x" number of days (Generally we use to define this period as "30" days). We then use to withdraw a report for accounts that havent been used for more than 30 days.
Disable those or create a script that would say if the user has not logged on to the domain for more than 30 days then find, create a log. Use that log file and disable the accounts. Leave such disabled accounts for 30 days more which gives it a total time frame of 60 days i.e. 30 not logged on to the domain and 30 disabled period.
Accounts that are disabled from last 30 days should be then deleted. Now comes the tricky part of managing such accounts. What if somebody is on Maternity leave. There comes the intelligence to handle such accounts. Active Directory user attributes come to the rescue here. Identify a user attribute that you can use for marking the type of user object.
For people with Long Leave modify the identified attribute for such user as "LL", if user is terminated, modify it as "T", if user is on Materinty Leave, modify the attribute as "ML" and likewise for other type of attirbutes. Then dump the info of disabled accounts for more than 30 days with attributes. Use EXCEL to identify the attributes that are "T" and delete them without any worries.
I would also suggest that the user attribute info be automatically updated from the HR DB where HR should be allow to update info in their DB. That DB should then modify the user attribute. This will require a big change, but considering your environment and how big it is you may want to consider the above process.
Create and communicate a written policy for account mgmt:
* Accounts that haven't logged into the domain within 90 days are disabled and moved to the '90 Day Disabled Users' OU then renamed w/ the date they are disabled
* Accounts that are still in the 90 Day disabled OU 6 months after the 90 day disable get deleted (I'd dump group memberships as part of the pre-deletion process, too)
* Exceptions, either known or discovered, are placed in the 'Stale Users - Exception' OU with a clear description as to why they are in the EXCEPTION OU.
* Place all service accounts in another OU structure with likely different parameters for 'what is stale' Just a few ideas/thoughts
On a related topic, its also worth noting that as far as possible don't rely on the lastLogonTimeStamp attribute beause as you know, its not 100% accurate.
This is especially true when you're trying to find out who all may have logged on in the last 2 weeks or so, which too is certainly worth knowing for security reasons.
Just my 2c.
If one cannot truly rely on the lastLogonTimestamp attribute for date ranges less than 15 days, then is there any easy way to discover stale accounts, where in staleness implies say about stale by 7 days or so?
For example, is there a script or a tool one could find all stale accounts base d on the actual comparisons of lastLogon values from all DCs in the domain?
Thank you for our assistance.
We use an automated Active Directory Audit Tool called Gold Finger for Active Directory.
It lets us find stale user and computer accounts very easily, and it lets us apply a LDAP filter of our choice, so for example, we can have it find stale accounts that belong to a specific department.
I believe free trials are available, as well, and can be downloaded from - http://www.paramountdefenses.com/goldfinger.html