User accounts that were created yet the user never logged in – such user accounts are a significant security issue for all Active Directory environments. You can read more details about this security issue here.
Given the security risk posed by these user accounts, how do we address that risk? Ideally, we would want an automated system to help out. There is a solution, which is automated! The solution is ADManager Plus.
In order to automate a solution to address the problem, we need to consider the following parameters:
- Obtaining a list of user accounts that have never had a user log in.
- Obtaining the “when created date” for each user account obtained in parameter 1.
- Determining the length of time that is acceptable to have a user account enabled but have no user logins. (This will be the length of time that a user account can be created to the time the employee starts and logs in.)
After you have these parameters, you can proceed. Below are the steps that you’ll follow in ADManager Plus to accomplish your task.
- You can leverage the built-in, Users Never Logged On report, which shows you all of the user accounts that have no user logins. Figure 1 illustrates what this report looks like.
Figure 1. ADManager Plus report showing all user accounts that have no user logins.
- Use the scheduler to automate the task of disabling user accounts that were identified in the report from step 1. Figure 2 shows the related scheduler screen.
Figure 2. Automatically disable user accounts in ADManager Plus by leveraging the Users Never Logged On report.
- Configure the filter (by clicking the “Select” link from Figure 2) to only disable the user accounts created 30 days ago and longer. Figure 3 illustrates what this looks like.
Figure 3. Filter to disable user accounts only if they were created 30 days ago and longer.
The final decision is to determine how often you want the automation to run. I would suggest every morning or once a week, depending on how much time you have. Figure 4 illustrates how ADManager Plus handles this scheduling for the automation.
Figure 4. Scheduling an automation.
Now that your automation is completed, you do not need to do anything more! If you want to see which accounts were disabled during each run, that is also an option for the automation history. The history will tell you which accounts were disabled, if any, as you can see in Figure 5.
Figure 5. Automation history shows you which accounts were disabled.
As you can see, this important security related issue is now solved using ADManager Plus. To get your hands on ADManager Plus for use in your environment, please click here.