Employees’ access to company systems should be turned off when they leave. But sometimes, this doesn’t happen as it should. Especially in small companies without IT departments, this step can be missed.
This mistake can lead to security problems. In this article, I’ll explain how to find and deactivate inactive user accounts to improve security quickly.
Determine inactive user accounts via PowerShell.
Having user accounts that aren’t deactivated can lead to two main issues. First, even if an account isn’t being used, it still requires a Windows domain access license, and this can create unnecessary costs. Second, and more importantly, if these accounts aren’t deactivated in the system, they can still be used to access company resources.
This is a security risk because even if an employee has left, they could still log in and access data, especially if their VPN access is connected to their account. This could lead to unauthorized access to sensitive information.
Read non-deactivated user accounts.
As an external service provider, you are often not informed immediately about the departure of employees. For this reason, it is useful to identify inactive user accounts routinely. The easiest way to do this is with PowerShell. With the cmdlet Search-ADAccount, information about all accounts in the Active Directory can be read out.
(In)active but not deactivated users can be identified with the following command:
Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 100.00:00:00 |
Where {$_.Enabled -eq "True"} |
sort -property LastLogonDate -desc |
ft Name, LastLogonDate, Enabled -autosizeRegarding the parameter TimeSpan, we limit the search so that only users whose last login was more than x days ago are displayed. In the example, it is 100 days. (Format: -TimeSpan days. Hours:minutes: seconds).
In practice, it looks like this:
With the help of this list, one can identify user accounts that are still active but have not been used for a long time. With a small modification, inactive computer accounts can also be identified.
Integrated into a recurring Windows task, you could also use it to be regularly informed by e-mail about user accounts that have not been deactivated.
