We can all fall behind on our “simple” tasks in lieu of accomplishing more difficult duties. One such task is staying on top of user accounts in Active Directory that have not been used in a while. These user accounts need to be managed to ensure that security is maintained around the use of these accounts.
Many organizations have a 30-day inactive policy, which flags user accounts for quarantine, disablement, or even deletion if the accounts have been inactive for 30 days. We think creating such a policy is easy, but it can be more difficult than expected depending on how you define “inactive” and the scope of where the users reside in Active Directory.
Consider a scenario where you need to track down all inactive users located in the HR organizational unit (OU). Now, you can try to use the Active Directory Users and Computers (ADUC) tool. If you use this tool, you can use the Saved Queries feature, which will let you create a query that matches exactly what you want. This is shown in Figure 1, along with the output from the query.
Figure 1. Saved Query looking for inactive users.
As you can see, the query does not produce any results. Before we look at the contents of the OU, let’s look at the results from another tool, which is more sophisticated in how it investigates the objects. Figure 2 illustrates the same, “inactive users” query using ManageEngine’s ADManager Plus.
Figure 2. ADManager Plus results looking for inactive users.
The ADManager Plus results reveal not one, not two, but five inactive users in the HR OU. So why did ADManager Plus find those users and ADUC Saved Query not? Because ADManager Plus queries the objects more thoroughly. The Saved Query just looks at the object logon time but does not register the fact that the user has not logged in at all. So if there is an account (or many accounts) that has never logged in, Saved Queries will not find it.
The icing on the inactive user cake? From the view in Figure 2, you can manage the user account. After all, the most important thing after tracking down inactive uses is the ability to click on all or some of the user accounts and disable them directly from this report — which you can do in ADManager Plus. You don’t need to do one at a time, rather you can click one or more and control them all at one time.
That functional omission from the ADUC Saved Queries feature is a huge issue. User accounts that were created and never used are just as much a security issue as those that have been logged into but have not logged in for a period of time.
The original article/video can be found at How to Track Down Inactive Users in Active Directory