What is a ghost account and how to detect them in your Active Directory

Mélanie Lebrun


Youzer Marketing Manager


I explain how to detect and eliminate phantom accounts that are still on your Active Directory even though the user is no longer there. What are the consequences of such oversights, and how to remedy them. Let's get started!


In its report on the cyberthreat in 2022, ANSSI deplored an increase in cyberattacks on VSEs, SMEs and ETIs, which accounted for 40% of reported ransomware.

Shadow IT is a serious threat to businesses and local authorities alike, and accounts for a significant proportion of cyberattacks.

Ghost accounts are accounts in your Active Directory that are not used by anyone, and which could be a gateway into your IS for malicious hackers.

Also known asshadow IT, these accounts deployed in your company are no longer under the control of IT departments.

What is an AD phantom account?

Phantom accounts can fall into several categories:

  • system" accounts: these are accounts that have been created by third-party applications or systems and are no longer in use because the system is no longer in place. A good example is the "BESAdmin" account, well known to system administrators (less so to the general public). This type of account was generally created in the heyday of BlackBerry and is no longer in use.
  • orphan user accounts: users of these accounts have left the company but are still active.
  • accounts to be used very rarely and therefore 'vacant' for more than a year as emergency accounts.

On average, there are 25% of dormant accounts in every Active Directory!

Detect ghost accounts in your active directory

Why are these accounts dangerous?

These accounts represent a risk because they are not used by anyone, and are not within the scope of the IT department (which is already busy managing the accounts of existing users).

Hackers can discreetly use these accounts to gain access to servers, company files, etc., especially as these dormant accounts contain a number of users with elevated rights, increasing the importance of the vulnerability.

A former employee may also continue to have access to company data, even though he or she has moved on to a competitor.

What's more, we're only talking here about ghost accounts in the Active Directory and not in the company as a whole, but the digital native generation no longer hesitates to install and use personal, SaaS and unsecured applications to store company data. So how do you manage this 2nd aspect if your own AD is not exemplary?

Envie de voir une démo instantanée de Youzer ?  
View demo

How do you detect these accounts?

These accounts are difficult to detect, as they can only be identified by cross-referencing information available from various departments within the company.

  • the date of last use: this is a good first indication to identify accounts that have not been used (e.g. for more than 3 months) and are therefore potentially ghost accounts.
  • all accounts whose password expired several months ago but has not been renewed.

⚠️ Beware, however, of long-term absences: you don't necessarily have to deactivate an account for someone on maternity leave or sick leave.

You can, however, suspend the accounts of a person who is away for a long period, to ensure security during this time.

What's more, if the account is used by a hacker, it won't be on this list...

  • the list of employees present, provided by the HR department, can be very useful. Accounts that are not on this list are likely to be "at risk".
    This involves reconciling the HR file with the IT accounts file. It's a reconciliation operation: users and accounts.

There are, however, many exceptions: accounts that have been created for service providers or simply system accounts.

How do you deal with these dormant accounts in your AD?

At this point, you should understand the benefits of implementing an account management policy in your company. So how do you go about getting your AD in order?

You can either delete them completely, or disable them altogether. What's the difference between the two solutions? Traceability. If you need to keep track of your old accounts, we recommend deactivation, if not complete deletion, which is simpler.

To ensure that deactivation is carried out correctly, we recommend the following steps:

  • Identify dormant accounts using the steps described above;
  • disable accounts ;
  • check that these accounts belong to groups. You've probably structured your AD into divisions, perhaps even created groups for important projects, access to certain premises etc. ... So remove access to these groups;
  • change the account password with a tool of your choice to randomly generate a strong password;
  • move this account to a directory of suspended accounts for easy retrieval (especially for traceability purposes);
  • update their account description sheets to make it clear that these accounts have been suspended since when, by whom and for what reasons.

Would you like to receive our white paper on identity and access management?

Thank you, we have received your request and you will receive the book shortly.
Oops! a field has been filled in incorrectly 😖

So how do you find your way around if there are exceptions in every method?

At this stage of your reading, you're probably thinking:
1) what she's proposing is tedious to set up
2) the methods don't guarantee 100% detection of orphan accounts!

Dormant accounts can fall into a number of categories, as we've seen, and there's a simple and above all clean solution that complies with security regulations: an identity and access management (IAM) solution.

The power of an IAM lies in its ability to cross-reference technical data (Active Directory accounts) with HR data.
Thus, each account must be associated with an individual, who in turn is associated with the company through a contractual link (employee, service provider, etc.).

Phantom accounts are therefore very easy to identify, thanks to the cross-intervention of HR and IT.
With an IAM tool, you are alerted if there is an "orphan" account, i.e. one associated with no user.

Link your active directory accounts to your users

Thanks to the Active Directory Connector (easily installed on our platform), your Active Directory is always up to date, and you can view your accounts directly without having to take any particular action.
This gives you a real-time "snapshot" of all your active accounts, and whether or not they are associated with a user. This way, you can deal with every account that is not attached to any account. How convenient!

Récap'IT the IT Newsletter

Get the best of the month's IT news.
Market developments, IT trends, cyberattacks in France... a digest of the month's IT news.

We have been unable to confirm your registration.
Your registration is confirmed! You'll receive your next Récap'IT at the end of the month 😊

Recommended items

Discover Youzer, the first
platform for easy management of your users and their access.

Hey! you know the drill :) We use anonymous data analysis cookies. By "Accept all cookies", you help us understand (anonymous) page views. Learn more about our privacy policy.