Inactive User Tracking with Netwrix Auditor

Automatically detect and disable inactive accounts in Active Directory

Many corporate security policies and compliance regulations require that Active Directory user accounts must be disabled after a certain period of inactivity. This is a good practice; doing so keeps Active Directory secure and clean. For example, someone can create a user account, leave it untouched for many days, and then use it to perform malicious activity against an organization. Another example is employee retirement: User accounts must be disabled when an employee quits an organization, but in practice, IT departments are usually the last to know when somebody leaves. Also, most HR databases only keep information about the "primary" user account and know nothing about additional user accounts.

Netwrix Auditor automates the management of inactive user accounts. The program periodically checks all user accounts in specified domains and reports all accounts inactive for more than specified number of days.

This feature is available in the Netwrix Auditor solutions for:

Product features:

  • Checks all users and reports those that have been inactive for a specified number of days;
  • Automatically deactivates inactive user accounts, either by disabling or setting a random password, moving to another OU, or finally deleting such accounts;
  • Sends notifications to managers about their inactive direct reports;
  • Reports can be sent to IT auditors to ensure regulatory compliance (SOX, HIPAA, SAS-70, etc).

To detect inactivity, the product checks the "lastLogon" and "lastLogonTimestamp" attributes of every user account, which represent the last time a user was authenticated by a specific DC. AD doesn't replicate these attributes; as a result, the values will be different on each DC. Netwrix Auditor handles this correctly: It queries all DCs in the domain and uses the most recent logon time, sometimes called the "true last logon".

Download Free Trial Request Quote