Every Active Directory installation has one common issue. Every installation has one or more users that were created for a project, new employee, returning employee, and the like; but the user account was never used. These users should be cleaned up as they pose a threat to the overall security of the environment.
I know, “pose an overall threat to the environment” seems a bit severe. However, I truly believe this, and these are the reasons why:
- Most organizations use the same password for new user accounts, knowing the user will be forced to change the password on next logon. However, if the user account was never used, it could be used as an attack account at any time.
- Most organizations place new user accounts into the appropriate groups at creation time. This means that if an attacker logs on as one of these accounts, all access will be immediately granted based on the group membership. If, for instance, the user is in finance, HR, or IT, the access could be high risk.
- These accounts are not tracked and therefore not kept in check. Without some reasonable tracking that these accounts are being used correctly or at all, the risk of someone using them to attack the network is too high.
So the question becomes, how do you find these accounts and then remove them? Sure, you can come up with some fancy script to try and dig the accounts out, but then you still need to delete them. Instead of taking the time to develop and troubleshoot a script, why not just use a tool that already has this option… I mean these options… built in.
ManageEngine ADManager Plus has a quick and easy report that you can use to generate a list of users that have never logged in. Figure 1 illustrates what the resulting report would look like.
Figure 1. ADManager Plus report on users that have never logged in.
From here, you can select some or all of the users in the list and delete, move, disable, or take other actions on them. Figure 2 illustrates the list of actions that you can take on the users you select from the list.
Figure 2. List of actions you can take on the users that have never logged in.
As you can see, there is no need to come up with a complex script when what you are looking for is just a click away.. not to mention the actions you want to perform on the users once you find them. ADManager Plus is the most efficient tool for managing your Active Directory environment.
For a video on these tasks, please go to https://www.youtube.com/watch?v=RBeXCE8o3ZY.
The original article/video can be found at Find and Delete “Never Used” User Accounts