Nearly every Active Directory database has at least one – a user account that was created, but the user never logged in. The reasons why the user never logged are plentiful, but the fact the user account was not addressed is still an issue. Why are user accounts that have not logged in an issue, you may be asking? Well, let’s go over some common configurations at user account creation time:
- User accounts are created hours, sometimes days, before the employees start work.
- All new user accounts are granted the same password at creation.
- User accounts are added to all of the necessary groups, to allow immediate access to resources.
Considering all of these configurations, you should realize that you have user accounts that are potential entry points for an attack. The fact that user accounts exist with known passwords is a major security concern. Ideally, user accounts that have not logged in need to be addressed in some way. Here are some solutions that will help you get control over these accounts.
Active Directory Users and Computers (ADUC) Saved Queries
ADUC provides the option of “saved queries” as a way to look at certain objects that meet preset criteria. There are a few default options to view user accounts that have non-expiring passwords, have not logged in for X days, and more. You can also create custom saved queries, such as the one show in Figure 1, which returns the user accounts that have never logged in.
Figure 1. Custom saved query that reports the user accounts that have never logged in.
As you can imagine, this information is very valuable. However, there is one glitch using the Microsoft method. Knowing who has not logged in is important, but it is also important to know when the account was created. This gives the administrator insight into how long the account has been waiting for a logon. If only a few days or weeks, then the user might still use the account. If the account was created a month or more ago, chances are slim that the account will ever be used. Trying to get the creation date for each user using Microsoft Saved Queries is very difficult!
ADManager Plus
ADManager Plus easily overcomes the limitations of Microsoft Saved Queries. As you can see in Figure 2, ADManager Plus allows a view of the users who have not logged in with a column indicating when the account was created.
Figure 2. In addition to users who have not logged in, ADManager Plus can show the date each user was created.
You can also see that there can be a column for the account status, such as enabled or disabled. All of these details in one view gives the administrator insight into whether the account is a security risk or not, based on these criteria.
To go even further, all accounts in the list can be modified to be disabled/enabled, moved, deleted, and more – directly from the list shown in Figure 2.
You can try out ADManager Plus yourself by downloading it here. The free version of the product provides you access to these reports and much more.