Many corporate security policies and compliance regulations require that Active Directory user accounts must be disabled after a certain period of inactivity. This is a good practice; doing so keeps Active Directory secure and clean. For example, someone can create a user account, leave it untouched for many days, and then use it to perform malicious activity against an organization. Another example is employee retirement: User accounts must be disabled when an employee quits an organization, but in practice, IT departments are usually the last to know when somebody leaves. Also, most HR databases only keep information about the "primary" user account and know nothing about additional user accounts.
Inactive Users Tracker automates the management of inactive user accounts. The program periodically checks all user accounts in specified domains and reports all accounts inactive for more than specified number of days.
Product features:
- Checks all users and reports those that have been inactive for a specified number of days;
- Automatically deactivates inactive user accounts, either by disabling or setting a random password, moving to another OU, or finally deleting such accounts;
- Sends notifications to managers about their inactive direct reports;
- Reports can be sent to IT auditors to ensure regulatory compliance (SOX, HIPAA, SAS-70, etc).
To detect inactivity, the tool checks the "lastLogon" and "lastLogonTimestamp" attributes of every user account, which represent the last time a user was authenticated by a specific DC. AD doesn't replicate these attributes; as a result, the values will be different on each DC. The Inactive Users Tracker handles this correctly: It queries all DCs in the domain and uses the most recent logon time, sometimes called the "true last logon".
The product has Freeware and Enterprise Editions. Please review the
side-by-side comparison for more information.
