A user account is created in Active Directory for each user in your environment. Over time as users leave the organization, their accounts do not always get removed from Active Directory. As a result, many organizations have an excessive amount of stale user accounts in Active Directory. You can identify a stale account using the last time the password was changed or the user's last login timestamp. Stale user accounts in Active Directory pose a significant risk to the organization since they are often used by an attacker or a disgruntled former employee. These inactive accounts can also start to clutter your AD environment.
Each user account has an attribute called PasswordLastSet, which records the last time a user changed their password. Since PasswordLastSet is a replicated attribute, only a single domain controller in each domain needs to be queried.
Windows Server 2003 introduced a new attribute called lastLogonTimeStamp to identify potentially stale accounts. This attribute activates the domain set to Windows Server 2003, Windows Server 2008, Windows Server 2008R2, Windows Server 2012 or Windows Server 2012R2 functional level.
Unlike the lastLogon attribute, which has been available since Windows NT 4.0, lastLogonTimeStamp is replicated every time it is updated. Therefore, querying this attribute is more convenient since only one domain controller in each domain must be queried.
Run a script that queries Active Directory for inactive user accounts to find the accounts. For example, in Active Directory Module for Windows PowerShell, Search-ADAccount –AccountInactive –UsersOnly command returns all inactive user accounts. Use the -DateTime or -TimeSpan switches to narrow down the date the computer last logged on.
Note: Lastlogontimestamp is not replicated every time somebody logs on. See Understanding the AD Account attributes - LastLogon, LastLogonTimeStamp and LastLogonDate, at https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx.
Dealing with stale user accounts often comes down to implementing effective de-provisioning processes. However, it is possible that users might be unable to work and therefore not log on for an extended period. Also, service accounts might not log on for extended periods. Consequently, you should incorporate multiple checks and have safeguards to help prevent disabling or deleting accounts that are still in use.
Suggested Actions
You should create a standard process to look for user accounts that have not changed their passwords in the last six months. Once the accounts are identified, disable, document, and remove them from Active Directory.
You can run a script in each domain that queries Active Directory for user accounts where the password age is over a certain time. For example, in Active Directory Module for Windows PowerShell, run the following script to list the user accounts where the password has not changed in the last six months.
$d = [DateTime]::Today.AddDays(-180)
Get-ADUser -Filter '(PasswordLastSet -lt $d) -or (LastLogonTimestamp -lt $d)' -Properties PasswordLastSet,LastLogonTimestamp | ft Name,PasswordLastSet,@{N="LastLogonTimestamp";E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}
After stale accounts are identified, it is recommended to disable those user accounts, wait several weeks, and delete the accounts if no issues have been reported.
We are here to help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, and small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.
Contact Inception Security if your company is looking for advisory services.