Data Centers

Handling inactives in AD with NetWrix Inactive Users Tracker

Derek Schauland shares a custom application that helps you keep your Active Directory cleaned up from inactive users.

Working in Active Directory and managing user accounts is an ongoing task. In the past year or so, my organization has seen people go on extended leave or leave the company, but their user accounts may not get cleaned up right away. Usually I try to get to accounts for departed employees within two months, but for some reason or another there are times when this doesn't get done. For those on extended leave, the idea is to deactivate them while they are away to prevent misuse of their account.

I have the best of intentions to keep up with it, but sometimes work gets in the way. Recently while researching NetWrix Active Directory Change Reporter, a misclick took me to the product page for another product, Inactive Users Tracker. At first I thought it was a way to find inactive accounts within AD, which a bit of querying in Directory Users and Computers will also get me, but upon more reading, I discovered that it will take care of the task of cleaning up user accounts for me.

Why use a custom application for maintenance?

The biggest reason I see for using an application like this is the size of the IT department versus the size of the organization. We aren't a big company, but being the only IT guy in a user environment of 50-60 people, there are always a ton of projects that just get in the way of general maintenance.

What features does Inactive Users Tracker bring?

The application offers more than simple reporting about inactivity in the environment. It has options to allow the software to take action on accounts based on settings specified by the administrator. See Figure A below.

Figure A

Click to enlarge.

The management console for Inactive Users Tracker

Inactive Users Tracker will allow you to configure the following actions:

  • Notify Manager After : Sends an email to the manager of the account, if configured in Active Directory.
  • Set Random Password After: Change the account password to a random password.
  • Disable Account After: Turn the account off.
  • Move To Specific OU After: Move the account to a custom OU
  • Delete Account After: Remove the account.

All action items occur after a set number of days as determined by the administrator. Each action also has its own days setting.

In addition to the actions you can configure Inactive Users Tracker to take, you can also set the scope in which the application will perform actions. The following scopes are available:

  • Filter By Account Name
  • Filter by Organizational Unit
  • Process Computer Accounts

The option to process computer accounts allows IT to clean up stale computer accounts within the directory. This feature seems particularly useful to me for the times when a machine goes down or gets replaced or repurposed and the original account is not cleaned up right away.

So what does it cost?

The feature set provided by Inactive Users Tracker is very impressive and seems like it might be extremely useful in a good number of Active Directory environments. However, it has been my experience that tools that work very well, especially to automate things in a corporate environment, often cost a great deal of money.

With Inactive Users Tracker, that simply isn't the case. The application has two versions, freeware and commercial. If you want to use just the reporting features of the program to find the inactive accounts, the freeware version will work perfectly. However, to perform actions on user accounts you will need to use the commercial version which starts at $.80/user account for the first 150 users. So you would spend about $120 to automate user account cleanup for the first 150 user accounts. Above 150 accounts the price per user gets even cheaper.

Bottom Line

Give Inactive Users Tracker a try, the application comes with a 20-day trial for commercial and is a great deal for the money.  Even if you only use it to get a feel for the number of inactive user accounts in your environment, it may be worth taking a look at NetWrix Inactive Users Tracker.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

9 comments
travis.duffy
travis.duffy

That you do not need. If you are an active directory administrator you should know how to get the same information using LDAP queries or powershell. There are many ways to get this information for free without spending a dime. If you don't know how to do this, you are not qualified to administer active directory.

JustinF
JustinF

Using built in command line tools is fine in smaller environments or those that are not very dynamic. In larger enterprise environments the more automated tools you can use to your advantage the better. It's also very arrogant to assume that it's worth your employer's time to pay you to work on a script for a week to do something that a commercial application you can purchase for half your week's salary can do ;)

dcolbert
dcolbert

This kind of BOFH "Do it the hard way" attitude is something out of the stone-aged Unix big-iron days, and I'm surprised to see it among anyone who runs an Active Directory domain. The thing that generally seperates the *nix guys from the Win guys is that Win guys generally don't insist on bashing their head on the brick-wall if there is an easier way to do something. There are lots of things that can be achieved, free, and often inefficiently, with the built in tools that Microsoft provides with their OS platforms, and it has been that way since NT 3.1. But a smart Admin understands that there is nothing gained by being so egotistical that he or she insists on using arcane, complex, time consuming and unreliable bundled methods when there are superior, more efficient, more reliable commercial alternatives that exist. Sometimes the built in tools are fine, and a lot will depend on your specific environment in a situation like this. I think it is foolhardy to rule this tool out because it is commercial. It exists because the built in tools for achieving these goals are not as robust or intuitive as they could be.

travis.duffy
travis.duffy

Using built in tools is fine in ALL environments. In my large enterprise environment, it is what we use. If one were to request this software in my company, you would get laughed at as it is something you are expected to know how to do as an AD administrator. If you have to work on a script for a week to accomplish this task, I suggest you find a new career. Your competitors do it in minutes.

travis.duffy
travis.duffy

it's foolish to spend money on a third party product to accomplish a task that can be done for free very easy by scripting. Even if you know nothing about scripting, a google search brings up MANY!

dcolbert
dcolbert

Our initial testing with this product shows that it returns false positivies on user inactivity. We have maintenence accounts that have been used within the last month that showed as inactive for longer than that when running a report with this particular tool. Based on that, I'd recommend approaching this product with caution and testing it fully before relying on it. We're still testing.

ITSuper
ITSuper

Coming from a long stint in retail before thankfully switching to IT, I learned over the years that new tools as well as new input from my staff can save a lot of time if it gives me what I need in a usable form quickly. At the same time, it never hurts to know the process so that if there is an issue you have the knowledge to be able to troubleshoot. Jumping from A to Z is great as long as somebody knows the rest of the alphabet in case the black board breaks.

travis.duffy
travis.duffy

AD administrators that use 3rd party tools to accomplish these tasks that are easily done with LDAP queries does not make them lazy. It makes/keeps them incompetent. What is a person doing in the role of an AD administrator if they do not know how to query active directory using LDAP commands and rely on 3rd party apps to do it for them? Obviously they failed the Microsoft exams related to Active Directory. As an AD administrator myself who has never relied on 3rd party tools to achieve these normal tasks for an AD Admin, it frustrates me to see those in the field using these tools to make up for their incompetence and lack of abilities. So when these AD administrators who rely on all these 3rd party tools to perform their AD tasks run into a real problem with AD and have to actually do some troubleshooting, what do they do? They have no clue what is happening "behind the scenes" and how AD works beings they've never been exposed to queries and actually working with the back end of AD. Or is there a 3rd party tool you sell for that too???

ITsteve13
ITsteve13

The sign of a good leader is the ability to delegate responsibilities without negatively impacting productivity, efficiency and overall quality of output. I think similarly, the sign of a good IT administrator is the ability to delegate responsibilities using the best tools available in order to maximize quality and proficiency. Of course, there are several ways that IT administrators can go about detecting inactive users, a few of which are free, but I think it?s important for IT departments to understand that using commercial products instead of LDAP queries does not make them lazy? in many cases, it makes them smart. Writing and supporting scripts and LDAP queries takes time and resources, but with NetWrix Inactive Users Tracker, administrators can spend their time on other important tasks. Products like NetWrix Inactive Users Tracker allow administrators to manage their IT infrastructures in an automated and stress-free fashion, something that LDAP queries can?t offer. Additionally, for those of you who don?t see the need to buy commercial software in this instance, it?s worth noting that NetWrix does offer a free version of Inactive Users Tracker. Stephen Schimmel Product Manager NetWrix Corporation www.netwrix.com