Cleanup dormant accounts to maintain Active Directory
View PDF | Print View
by: jonallena1
Total views: 6
Word Count: 587
Date: Wed, 28 Dec 2011 Time: 1:44 AM
With time everything accumulates thrash and junk within them. Same goes with Active Directory accounts. Long and abandoned accounts and data must be eliminated from the Directory for a healthier network. Attackers looking to break into your network love stale accounts that have been stagnantly and quietly lying in Active Directory (AD). These accounts may be of users who have left the company, or have moved to other departments, domains and no longer access their old accounts. They can sit unobserved by your system administrators until a hacker cloaks as an employee who just hasn't logged on in ages, resurrects the account. The rest of the endeavors and possibilities do not need to be even mentioned.
Keep refreshing your Directory by performing regular audits of Active Directory to identify unused accounts. You can disable them if the accounts are currently not in use. However, this does not eliminate the risk completely because even a disabled account can be revived by a determined impostor. So you can try to notify unused and dormant account users to eventually delete those accounts either manually or by writing a custom script. Repeating this process would keep your network safe and also improve performance of Exchange servers.
Windows Server 2003 does have a command line tool, dsquery, and a GUI in the AD Users and Computers snap-in, that can locate all disabled users in a domain. Also, unused accounts that have not been disabled can be identified in the AD Users and Computers snap-in through a Saved Queries interface. In Windows Server 2003 and Windows 2000 Server, the administrator can use the Ntdsutil.exe utility to manually remove the NTDS Settings object and server metadata. The version of Ntdsutil.exe that is included with Service Pack 1 or later service packs for Windows Server 2003 has been enhanced to make the metadata cleanup process complete. In Windows Server 2008, and Windows Server 2008 R2, the administrator can remove the metadata for a server object by removing the server object in the Active Directory Users and Computers snap-in.
However, in a large and comprehensive network, repeating all these tasks manually would be quite hectic. Also, account eradication tasks must be executed periodically for optimum results. Therefore, it better to opt for an Active Directory Cleanup tool. This automates the task and you can look for accounts that haven't be active for a fixed number of days – a number that can already be defined as per your IT security policies. The tool identifies all the duplicate objects to be merged and help you getting rid of extra useless accounts. Active Directory admin tools also maintain list of accounts so that administrator can save the details of the merge and delete operations for future reference.
Lepide Active Directory Management and Reporting (LADMR) is one such effective software with which you can manage Active Directory easily. It can help you keep your network safe from intruders and get rid of useless accounts to enhance performance of servers. LADMR is actually an AD management and reporting tool and therefore is a complete package of Active Directory Admin tools. It manages attributes like users, computers, groups, security, OUs and other network management objects. You can also write complex scripts with a built in interface (query creator) to query active directory and WMI without learning complex scripting languages. The reports can be exported to HTML, CSV, PDF, RTF and TXT formats for further reference. Use the software free of cost for 30 days with all functions and features.
About the Author
The author of this article is a technical writer and has in-depth knowledge about admin software and their use in an organization. Here he has discussed about unused user accounts where Active Directory Cleanup must be followed. Manage active directory with self guided Active Directory Admin Tools for maximum benefits.
