Every Active Directory installation has one common issue. Every installation has one or more users that were created for a project, new employee, returning employee, and the like; but the user account was never used. These users should be cleaned up as they pose a threat to the overall security of the environment.
I know, “pose an overall threat to the environment” seems a bit severe. However, I truly believe this, and these are the reasons why:
- Most organizations use the same password for new user accounts, knowing the user will be forced to change the password on next logon. However, if the user account was never used, it could be used as an attack account at any time.
- Most organizations place new user acco
Before getting into the specifics, I would like to give a small introduction on tracking Logon / Logoff in Active Directory environment, which is a cumbersome process.
Auditing the Windows Active Directory environment
With the current Windows architecture it’s difficult to get all logon data at a single point. In an AD environment, a Domain Controller (DC) is the one which does the real authentication. When there are multiple DCs in a setup, handling the authentication mechanism, the logon data (please note only the logon data) is available in different computers (read as DCs). So to compute a clear logon activity collecting all these data is essential. Also another pain point here is …