I keep getting questions about how to handle duplicate usernames during new Active Directory user accounts. Even as organizations are moving to the cloud, cleaning up AD, and merging with other companies, duplicate usernames is a hot topic. Now, if we go back to the basics of creating user accounts with the Active Directory Users and Computers tool, it will indicate if the username or the pre-Windows 2000 username is causing the duplication. However, there is no option to make the tool automatically deal with duplications. Instead, it’s up to the administrator to continually attempt additional logon names until a name is entered that does not duplicate an existing user account. If you try to handle du…
There is no formula that tells an Active Directory administrator when or how to perform certain actions. Some feel that manual actions are best, while others feel that automation is the only way, and the rest falling somewhere in between. I think the reality is that if a job is completed in a reasonable amount of time and the result is 100 percent correct, the approach was effective. The point is, some methods provide helpful options that others fail to give. For example, let’s say that you need a list of user accounts that have not logged on for over 90 days so that you can disable them. The caveat is that you don’t want to have to sift through user accounts that are already disabled, or user accounts that ha…
Users often want to log in to many computers, without logging out of any. Microsoft and Active Directory allow this without hesitation. Of course, this can cause issues for the user account, as well as for the computers where the user has not logged out. When a user account is being used to attack the network, it’s important to know which computer the user is logged into, especially if they’re logged on to more than one at the same time. Whether you want to know which users are logged on to multiple computers currently, or at a specific time in the past, you can get the information you need to track down an issue or attack. But how? With the right tool, it’s just a simple click! ADAudit Plus comes with a…
I know I’m not alone on this one. I travel a lot, and I always hated when my password expired while I was traveling, but I wasn’t notified. Sure, there is a notification built into Windows, but that only shows up as a pop-up on your computer when you’re logged in to the corporate network. What about road warriors who use a VPN or remote applications? It’s very frustrating when passwords expire and you’re in a remote location. To eliminate this problem, why not help users out by giving them notifications through other means, not just a pop-up on their computer? We can do that! Our solution gives you two of the best possible options for mobile, or even in-house, users.
Notify mobile use…
User accounts that were created yet the user never logged in – such user accounts are a significant security issue for all Active Directory environments. You can read more details about this security issue here. Given the security risk posed by these user accounts, how do we address that risk? Ideally, we would want an automated system to help out. There is a solution, which is automated! The solution is ADManager Plus. In order to automate a solution to address the problem, we need to consider the following parameters:
- Obtaining a list of user accounts that have never had a user log in.
- Obtaining the “when created date” for each user account obtained in parameter 1.
- Determining the length of time that is ac
Nearly every Active Directory database has at least one – a user account that was created, but the user never logged in. The reasons why the user never logged are plentiful, but the fact the user account was not addressed is still an issue. Why are user accounts that have not logged in an issue, you may be asking? Well, let’s go over some common configurations at user account creation time:
- User accounts are created hours, sometimes days, before the employees start work.
- All new user accounts are granted the same password at creation.
- User accounts are added to all of the necessary groups, to allow immediate access to resources.
It is 8am Monday morning. You, the Active Directory administrator, receive a stack of papers for the new employees of the week. You proceed to create the 12 new users. You proceed to ensure the first name, last name, and logon names are correct. You also input the password for new users, which is NewHire01. After you create all 12 user accounts, you proceed to configure the details for each account, including group membership, home drive, telephone number, and department. You complete the task by 8:20am and move on to the rest of your day. You have done this every week for the past 10 years and think nothing of the “setup” you just created for the disgruntled employee that is working in the engineering departm…
There are hundreds, if not thousands, of possible settings related to Active Directory, including group membership, user rights, access control lists (ACLs), delegations, and so many more. With all of these settings, there are always some settings missed or misconfigured. Here are three security-related settings that I have found most Active Directory environments fail to have set up correctly.
- Enterprise Admins group: For most Active Directory installations and corporations, the Enterprise Admins group should be empty. This group should be empty because the group capabilities are rarely utilized, but having a user in the group exposes that user account to attacks and the dangerous use of the group
There is nothing scarier to an Active Directory administrator than the thought of someone attacking the domain controllers. The majority of attacks come from within the internal network and come from existing domain users. If the attacker does not have elevated credentials, the goal for the attacker is to try to obtain these credentials. The typical method for this is to guess passwords of existing users. When an attacker tries to guess the password of another user, there will inevitably be failures – at least, we hope so! A high, repetitive number of failed logons for a single account can indicate a potential attack. The key is finding these failed logons before the attacker is successful, so you can neg…