Do your corporate security policies and compliance regulations require that Active Directory (AD) user accounts be disabled after certain period of inactivity? It's good security practice, and doing so keeps AD clean and organized.
When an employee leaves your organization, you need to disable that user account. In a perfect world, that would happen the moment the employee walks out the door. In the real world, though, it might be weeks or even years before you realize that you forgot to delete that account. Or perhaps you're not even aware that this person left!
Consider also that HR might only keep information about "primary" user accounts and be unaware of additional user accounts lurking in the system. What if someone creates a user account and leaves it untouched for long periods of time—in the interest of performing some kind of malicious activity?
Inactive Users Tracker lets you automate the management of inactive user accounts. The program periodically checks all user accounts in specified domains and reports all accounts that have been inactive for more than specified number of days.
Some of the benefits:
- Checks all users, and reports those that have been inactive for a specified number of days
- Automatically deactivates inactive user accounts, either by disabling or setting a random password, moving to another OU, or finally deleting such accounts
- Sends notifications to managers about their inactive direct reports
- Can send reports to IT auditors to ensure regulatory compliance (e.g., SOX, HIPAA, SAS-70)
To detect inactivity, the tool checks every user account's lastLogon and lastLogonTimestamp attributes, which represent the last time a user was authenticated by a specific DC. AD doesn't replicate these attributes; as a result, the values will be different on each DC. Inactive Users Tracker handles this correctly: It queries all DCs in the domain and uses the most recent logon time, sometimes called the "true last logon."
You can watch a demo of the product here.