Many corporate security policies and compliance regulations require that Active Directory user accounts must be disabled after a certain period of inactivity. This is a good practice; doing so keeps Active Directory secure and clean. For example, someone can create a user account, leave it untouched for many days, and then use it to perform malicious activity against an organization. Another example is employee retirement: User accounts must be disabled when an employee quits an organization, but in practice, IT departments are usually the last to know when somebody leaves. Also, most HR databases only keep information about the "primary" user account and know nothing about additional user accounts.
Inactive Users Tracker automates the management of inactive user accounts. The program periodically checks all user accounts in specified domains and reports all accounts inactive for more than specified number of days.
To detect inactivity, the tool checks the "lastLogon" and "lastLogonTimestamp" attributes of every user account, which represent the last time a user was authenticated by a specific DC. AD doesn't replicate these attributes; as a result, the values will be different on each DC. The Inactive Users Tracker handles this correctly: It queries all DCs in the domain and uses the most recent logon time, sometimes called the "true last logon".
We´re very happy with how Netwrix Inactive Users Tracker working, and has literally saved us hours (days?) of work tidying up our Active Directory, so now our auditors are happy too! /Nigel Bates, IT Support Manager, North Warwickshire Borough Council/