Optimize your Active Directory: A complete guide to cleaning up inactive accounts

Published :

09/2024

| Updated on

-
Articles
>
Cybersecurity
When security comes first, cleaning up Active Directory is an essential step. Obsolete and inactive accounts can become entry points for cyber-attacks, and adversely affect system performance. I'll show you practical ways of identifying and managing these accounts, protecting your data and optimizing your network. Find out how to keep your Active Directory clean and secure.

Summary

Active Directory is Microsoft's directory service for managing identities and access within a network. However, over time, the creation and deletion of accounts can become haphazard, leading to an accumulation of obsolete, inactive or insecure accounts.

It is therefore advisable to clean Active Directory on a regular basis in order to :

  • strengthen organizational security. Inactive accounts can be a gateway for cyber-attacks, as they can be exploited by malicious individuals.
  • improve system performance, making searches and operations slower and less efficient.
  • ensure the protection of user data. This requirement enables companies to maintain rigorous management practices.

A clean Active Directory makes it easier to manage identities and therefore better manage RGPD compliance by ensuring that only the necessary information is retained.

Just as you can't find anything in a cluttered house, time is wasted looking for information in a poorly maintained AD. The main problem is, of course, the acceleration of the employee lifecycle, with a steady pace of provisioning and deprovisioning to be carried out by the IT team.

Let's take a look at how to delete and deactivate inactive user accounts in AD.

What are the risks associated with inactive accounts in Active Directory?

Before we look at how to clean up AD, let's see why it's necessary. I'm going to skip over this part quickly, because if you're on this article, it's because you understand the importance of good Active Directory hygiene.

Without DBA sanitization, you run the risk of security breaches, and your objective is to reduce the attack surface.

Safety risks are :

  • old user accounts that can be exploited. This is one of the easiest security holes to exploit by cyber attackers.
  • an accumulation of privileges with unjustified access rights. Privileges need to be constantly reassessed to ensure that they are still appropriate to the position held by the employee.
  • passwords that are no longer changed. If, unfortunately, this password has been used for another application and that application is hacked, all the applications used by the user are compromised. An expired password will not alert its user.
  • accounts that are no longer monitored by their own user. An account that is behaving suspiciously, issuing unusual notifications, will be noticed immediately by the employee, but if the employee isn't there, no one will be alerted.
  • lateral movements within the network. In the same way as above, an account can be used as a point of entry into servers, and then seek to increase its rights and accesses.

IT security risks

There is also an impact on Active Directory performance :

  • poor account administration leads to server overload and reduced performance. If accounts are not deleted, they accumulate.
  • domain controllers that manage too many objects see their performance degraded.
  • the IT team will spend more time searching for information and administering the AD when it's weighed down by inactive accounts.

We also note that during audits, a clean AD demonstrates compliance with security rules and rigorous access control.

If we have to look at the financial side of things, in addition to the time spent by the teams, which is measured in hours/salary for each administrator, we can look at the subject of licenses paid for nothing on other applications where the AD account is active, and which could lead us to believe that this user is actually present in the workforce.


What are the warning signs of poor Active Directory maintenance?

With a question like that, I'm almost tempted to write you the 3rd will surprise you 😂.

  • Long-inactive accounts
  • Duplicate or orphaned user accounts
  • Former employee accounts still active
  • Accounts with excessive or inappropriate rights
  • Redundant or obsolete safety groups
  • Lack of a coherent naming policy
  • Shared administrator accounts (I should have put this one in 3rd position, maybe 😉 )
  • Slow replication between domain controllers
  • Lack of traceability of changes made to the DA

How to identify and manage orphan accounts in Microsoft AD?

In particular, we'll be repeating points from the previous question. Attention must be paid to obsolete and deactivated accounts.

These accounts usually belong to former employees or temporary users whose authorization is no longer required. To identify them :

  • Use the PowerShell command Search-ADAccount -AccountDisabled to list all deactivated accounts.
  • Check the deactivation date and delete those that have been inactive for a defined period (e.g. 90 days).

For inactive accounts, i.e. accounts that have not been used for a long time but are still active, we use the following method:

  • Use the Search-ADAccount -AccountInactive -TimeSpan 90:00:00:00 to find accounts that have been inactive for 90 days.
  • Analyze the "lastLogonTimestamp" or "lastLogon" attributes of user objects.

You'll find a more detailed article at IT-connect.

To identify orphan accounts, we need to export the AD accounts and compare them with the HR file of physical employees currently on the payroll.

As for duplicate accounts, it's important to track them by looking for similar names and identical e-mail addresses. To facilitate this task, you can use custom PowerShell scripts to detect duplicates based on various attributes.

Best practices for identifying orphan accounts

  1. Automate the process: set up PowerShell scripts to perform regular audits (or choose a third-party solution that can help you automate these audits).
  2. Establish a clear policy: define precise criteria for each type of account to be cleaned.
  3. Collaborate with HR: ensure regular synchronization between the HR database and Active Directory.
  4. Document the process: keep a record of all accounts identified for cleaning, including the reason for their selection.
  5. Check before deleting: make sure that identified accounts are really no longer needed before deleting them permanently (it would be awkward to delete the account of someone on maternity or sick leave).

Best practices for managing orphan accounts

How can I clean up inactive user accounts in Active Directory?

Cleaning up inactive accounts in Active Directory is an essential task for maintaining a secure, high-performance environment. Here are the main methods for cleaning up inactive accounts:

  • PowerShell offers powerful tools for identifying and managing inactive accounts. I refer you to the IT connect article I linked to earlier, where you can see how to detect and disable inactive accounts and move inactive accounts to a specific organizational unit.
  • The historical SID (Security IDentifier) is an attribute used during domain migrations to maintain user access. However, unsecured SID attributes can present significant vulnerabilities such as unintentional privilege elevation (a non-sensitive account can inherit administrator rights giving it elevated privileges over all domains in the AD forest), vulnerability to attack (misconfigured attributes can be targeted) and risks associated with forest approvals (without filtering it is possible to inject an SID from another forest, compromising security between forests).
    Microsoft recommends :
  1. Detect accounts with insecure SID History attributes.
  2. Use PowerShell to remove these attributes from the accounts concerned.
  3. Implement continuous monitoring to detect and manage these attributes.
  • Metadata cleansing in Active Directory is essential for maintaining directory integrity and optimizing performance by eliminating obsolete and incorrect data. It also prevents replication problems, improves security and facilitates administration of the AD environment.
  • Microsoft recommends:
    1. Maintain directory integrity: metadata cleansing removes obsolete or incorrect information about deleted domain controllers.
    2. Optimize performance: eliminating unnecessary data improves the efficiency of AD operations and reduces the load on servers.
    3. Error prevention: obsolete metadata can cause replication and consistency problems in the directory.
  • It is crucial to monitor accounts with expired passwords because they represent a significant security risk, which can be exploited by malicious actors to gain access to sensitive data. To identify these accounts, you can use PowerShell with the command Search-ADAccount -PasswordExpired | Select-Object Name, PasswordLastSetand then take appropriate action, such as disabling accounts or notifying users to update their passwords.
  • Keep an eye on each group and its sensitivity to risk, and make sure you don't have too many 'catch-all' groups.

Key steps for cleaning inactive accounts in Active Directory

Best practices for managing inactive accounts in the DA

The ANSSI has drawn up a document on how to optimally secure and manage Active Directory.

  1. Establish a clear policy defining the criteria for inactivity and the actions to be taken.
  2. Make backups before any major cleaning operation.
  3. Inform users and stakeholders before deactivating or deleting accounts.
  4. Document all cleaning actions for audit and compliance purposes.
  5. Set up a regular, automated process to keep your Active Directory clean.
  6. Monitor accounts for anomalies such as inactive accounts
  7. Delete inactive accounts after a longer period, if there is no valid reason to keep them.
  8. Automate as much as possible, using scripts or tools to automate the detection and management of inactive accounts.
  9. Ensure that high-privilege accounts are specifically monitored for inactivity.

How can I automate AD account cleanup?

I could still talk to you about scripts, but I can also save you time and tell you about IAM (identity and access management) solutions that will help you automate a large number of actions, and above all are more reliable than human supervision (no offense).

Here's a list of what they can help you achieve:

  1. Automatic detection of inactive accounts: identification of accounts that have not been used for a defined period.
  2. Automate onboarding and offboarding processes: Automate the process of activating, deactivating and/or deleting accounts when a user joins or leaves the organization.
  3. Identify phantom accounts: identify accounts that do not correspond to a real user in the organization.
  4. Automated actions: configure automatic actions such as disabling, moving to a specific OU, or deleting identified accounts.
  5. Reports and alerts: generate regular reports on account status and send alerts for situations requiring special attention.
  6. Centralized management with HR systems: synchronization with HR databases to automate the creation, modification and deletion of accounts based on personnel movements.
  7. Identify orphan accounts: locate accounts that are no longer associated with an active user in the company.
  8. Alignment of authorizations: ensure that access rights are consistent with users' current roles and responsibilities.
  9. Automated workflows: workflows can be created to automate cleaning and account management actions.
  10. Traceability and auditing: All actions carried out on accounts are recorded, facilitating auditing and compliance processes.

As an IAM solution, Youzer can help you clean up AD on a day-to-day basis to facilitate management and ensure security. You'll be able to reduce the time spent manually managing AD accounts, while improving the security and compliance of your IT environment.

Manual AD management takes up your teams' time and skills. Managing a solution like Youzer allows you to set up immediately, with a simple logic for the day-to-day management of user accounts.

Regular Active Directory cleansing is essential to ensure security, performance and compliance within your organization. By eliminating inactive, obsolete or insecure accounts, you reduce the risk of cyber-attacks and improve operational efficiency.

Adopting rigorous identity management practices, such as the use of PowerShell scripts and the implementation of automation solutions like IAM, not only optimizes the operation of the DBA, but also facilitates the work of IT teams.

Investing in a clean and well-maintained Active Directory is not only a question of security, but also a lever for improving productivity and peace of mind within your company.

Need to estimate the cost of an IAM project?

Download this white paper on the cost of inaction in IAM :

We have been unable to confirm your request.
Your request for a white paper has been taken into account.

Recommended Articles

Manage departures: the hacker is your former user.
Shadow IT and former users: The IT manager's nightmare
When telecommuting rhymes with a multitude of software