Governance

Active Directory clean-up: Should you automate it?

Sree Mahalakshimi

June 255 min read

Book Demo

Table of Content

Read more
  • 5 pain points you can overcome in AD user account management  
    Manual vs. automated identity life cycle management  
    Active Directory clean-up: Should you automate it?  
  • Maintain confidentiality of critical information by implementing the POLP  
    6 essential capabilities of a modern UBA solution  
    How can SSO help in reinforcing password security?  
  • Authentication vs. authorization  
    5 simple steps to HIPAA compliance  
    Smart strategies to provision and de-provision Active Directory  

Active Directory cleanup: Should you automate it?

Active Directory (AD) helps IT administrators store the organization's resources hierarchically, including users, groups, and devices like computers and printers. This helps them create account and group based rules centrally, as well as enforce and ensure compliance by creating automatic logs for non-compliance.

Cleanup of Active Directory

Cleaning up of AD from time to time is quintessential to keep it secure and clean. Since organizations are dynamic entities, it is important to periodically scan for accounts of employees who have departed or changed responsibilities to eliminate superfluous footprints from the directory. These accounts pose a security risk as hackers are likely to exploit them to infiltrate the network.

Nick Powers, a pen tester (or ethical hacker), found vulnerabilities in a system of eight hospitals during his pen testing sessions. The hospital had a secure wireless network and users could connect only using certificate-based authentication. But he was able to enter the internal network via an unused X-ray device with an outdated version of Windows. The person who accessed it previously had administrator access to AD. Powers determined that a hacker with basic skillsets could recover the credentials from memory and gain access to the entire network.

This and similar situations can be avoided by cleaning up AD on a regular basis. This involves reviewing the access permissions, accounts, and groups to revoke access, disabling old or inactive accounts and groups, and monitoring the activities of relatively newer accounts. Removing inactive accounts saves the time spent maintaining them and decreases the time required to find active accounts, enabling effective functioning of the directory.

Best practices for AD cleanup

AD cleansing can be accomplished by following these steps. Writing scripts and commands for specific tasks can achieve each of the activities.

Analyze the accounts regularly:

The first step to maintain a clean AD is to review it periodically. Before beginning the review, it is a good idea to make a list of active user accounts. This will aid in mapping active accounts to employee IDs, ensuring accounts and groups can be quickly identified as inactive, unused, and duplicate accounts. These vulnerable accounts can be an easy target for threat actors.

  • Remove disabled accounts: IT administrators often choose to disable the user accounts of employees who are on a temporary or long leave. They also backup the credentials and data in these account before they choose to delete them. Attackers might use these disabled accounts to intrude into the network and gain access to critical resources. Therefore, these disabled accounts should be periodically checked and regularly monitored for any activity, and removed as necessary. Users like auditors or third-party vendors would need a temporary account that will be deleted later. Establishing a policy for regularly reviewing these accounts is helpful for managing and removing such temporary accounts.
  • Delete inactive, unused and duplicate accounts: Despite the IT team disabling and removing the user account of an employee when they leave the organization, it is important to look for unused accounts from time to time. A best practice is to make a backup of the data first. Some accounts are created and abandoned without being used, but these can be detected by evaluating the last logon time stamp. Generally, any account that wasn't accessed for 90 days or more is considered inactive, but this duration can vary depending on the organization's policy. Deleting unused and duplicate accounts clears out obsolete data and protects the network from hackers.
  • Monitor new account creation: New accounts can be created by adversaries, malicious insiders, or malware to gain access to the network. By keeping an eye on new account creation, illegitimate accounts can be identified. Information like the name of the account creator, and their designation can help identify non-compliant accounts.
  • Take action on accounts with an expired password: Accounts with expired login credentials could mean that the user has been inactive for a long period. Such accounts are easily prone to security risks as their activities often go unnoticed. A periodical analysis helps detect and remove inactive accounts due to a user's departure from the organization, or a change of role.
  • Manage the groups: Creating groups in AD will simplify administration and help manage similar users in terms of delegation, sharing information, etc. These groups may become inactive, empty, or obsolete from time to time. For example, a few users of those groups may switch teams but continue to have the permission from their previous role that isn't appropriate anymore. Auditing AD on a regular basis will help identify and cleanup such groups.

Automating AD clean-up

Unnoticed and unmanaged AD accounts can create a menace to network security. It is critical to maintain and manage them on a regular basis. Writing code to manually cleanup AD can require a lot of the IT team's time and effort. This can be possible in smaller organizations, but can be daunting and less efficient in medium and large organizations that have thousands of user accounts and groups. Automating clean-ups comes to the rescue for these organizations.

These functionalities can be automated:

  • Finding unused and inactive accounts when not logged on for a certain number of days.
  • Finding expired AD accounts.
  • Revoking permissions, and deleting unused accounts, users, and groups.
  • Creating and modifying user groups.
  • Creating and modifying objects in AD.

Tools like ManageEngine ADManager Plus automates the AD cleanup process, including detecting and removing stale accounts and groups, and canceling unnecessary access permissions. This powerful AD management tool saves the help desk team time and effort by efficiently managing bulk users, delegating AD administrative tasks, and accomplishing other vital support tasks.