Active Directory allows authorized AD accounts (users and computers) to access the organizations data, applications and other resources like
printers. Additional security is also ensured through permissions
attached to the AD resources or objects. AD user accounts feature in
the access control list of one or more objects which enable them to
access those AD resources seamlessly. Account authorization /
authentication along with the system access control list of network
resources ensure that the AD is completely protected from unauthorized accesses.
Inactive AD accounts and security threats
Inactive accounts pose a serious threat to the security of the Active Directory. Inactive accounts and their access permissions can be used to access network resources. Often these kind of activities go unnoticed because of the lack of an all-inclusive auditing solution in the organization.
Using Windows PowerShell to manage inactive AD accounts
In order to use PowerShell with Active Directory, you will require the Active Directory PowerShell module. It (along with Active Directory Administrative Centre) gets installed automatically with the addition of AD DS (Active Directory Domain Services) or AD LDS (Active Directory Lightweight Directory Services) role in Windows Server 2008 R2. Here are some cmdlets that let you perform some basic actions related to inactive accounts:
To find inactive AD accounts
To find all the inactive accounts use the Search-ADAccount cmdlet. It is recommended that you search for computer accounts and user accounts separately.
To find inactive computer accounts:
Search-ADAccount –AccountInactive -ComputersOnly
To find inactive user accounts:
Search-ADAccount -AccountInactive -UsersOnly
To find AD accounts that are inactive for the past 60 days
To find the AD accounts that are inactive for the past 60 days, you will also need to specify the time period.
To find computer accounts that are inactive for the past 60 days:
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 60.00:00:00
To find user accounts that are inactive for the past 60 days
Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 60.00:00:00
To find the inactive AD accounts of a specific OU
PowerShell also allows
you to search for inactive accounts within an OU.
To find the inactive computer accounts in an OU:
Search-ADAccount -AccountInactive -ComputersOnly -Searchbase "OU=TestOU,DC=www,DC=vdoc,DC=com"
To find the inactive user accounts in an OU:
Search-ADAccount -AccountInactive -UsersOnly -Searchbase "OU=TestOU,DC=www, DC=vdoc,DC=Com"
Inactive Account Management
It is possible to use PowerShell cmdlets and scripts for more complex tasks relating to inactive account management but it requires an almost expert knowledge of the platform. Automated Active Directory clean-up solutions like Lepide Active Directory Cleaner can simplify the process, making it easy to perform even the most complex tasks.
Inactive accounts can be serious security threats if they are used by an unauthorized person wanting access to the network resources. Windows PowerShell cmdlets can help manage the inactive accounts but can only be used for more complex tasks if the AD administrators are adept at scripting. If this isn’t the case then using a third-party solution is often the most effective way of managing inactive users.