How to clean up dormant accounts in Active Directory

Inactive or dormant Active Directory accounts can serve as a gateway for attackers. Learn how to identify and clean up inactive Active Directory accounts in this Identity Management and Access Control Ask the Expert Q&A.

Joel Dubin

How can I identify and clean up unused or dormant accounts in Active Directory?

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

Attackers looking to break into your network love stale accounts that have been sitting patiently and quietly in Active Directory (AD). These accounts may be from users who have left the company, or have moved to other positions and no longer need the access granted by their old accounts. They can sit unnoticed by your system administrators until a hacker masquerading as an employee who just hasn't logged on in ages brings them back from the dead.

Performing regular audits of Active Directory will help you identify unused accounts. Once you find them, disable them to help lower the security risk. Unfortunately, that won't eliminate risk because even a disabled account can be revived by a determined intruder. However, Windows Server 2003 does have a command line tool, dsquery, and a GUI in the AD Users and Computers snap-in, that can locate all disabled users in a domain. Once found, you can delete these accounts, either manually or by writing a custom script.

For unused accounts that have not been disabled, the AD Users and Computers snap-in has a Saved Queries interface. You can look for accounts that haven't be active for a fixed number of days – a number that may already be defined in your IT security policy – and then either notify the errant users to see if they're still active, or simply delete them

More on this topic

Parents accuse Amazon of inaction in combatting child abuse material online

Coronavirus: Amazon warehouse workers strike over concerns about workplace safety and protections

Fighting fit: The ODI on courting startups to use open data to get the UK moving

Infinite io clusters its network storage controller

6 SaaS security best practices to protect applications

Review these 7 CASB vendors to best secure cloud access

CASB explained: Know its use cases before you buy

Cisco sweetens Acacia deal by $2 billion

SASE challenges include network security roles, product choice

Refreshing look at Wi-Fi 6 benefits, preparations

Parler sues AWS, seeks restraining order

Digital healthcare top priority for CIOs in 2021

C-suite execs give future technology predictions for the decade

CES: Laptops sport designs friendly for remote workers

Evaluate if Windows 10 needs third-party antivirus

PCaaS vs. DaaS: learn the difference between these services

COVID-19 and remote work shift cloud predictions for 2021

Cloud providers jockey for 2021 market share

How to build a cloud center of excellence

Banks and telcos lead big data analytics spending in APAC

Etive to create digital identity trust scheme for residential property market

All EU states can take data protection cases against Facebook says EU court