Derek Schauland shares a custom application that helps you keep your Active Directory cleaned up from inactive users.
Working in Active Directory and managing user accounts is an ongoing task. In the past year or so, my organization has seen people go on extended leave or leave the company, but their user accounts may not get cleaned up right away. Usually I try to get to accounts for departed employees within two months, but for some reason or another there are times when this doesn't get done. For those on extended leave, the idea is to deactivate them while they are away to prevent misuse of their account.
I have the best of intentions to keep up with it, but sometimes work gets in the way. Recently while researching NetWrix Active Directory Change Reporter, a misclick took me to the product page for another product, Inactive Users Tracker. At first I thought it was a way to find inactive accounts within AD, which a bit of querying in Directory Users and Computers will also get me, but upon more reading, I discovered that it will take care of the task of cleaning up user accounts for me.
Why use a custom application for maintenance?
The biggest reason I see for using an application like this is the size of the IT department versus the size of the organization. We aren't a big company, but being the only IT guy in a user environment of 50-60 people, there are always a ton of projects that just get in the way of general maintenance.
What features does Inactive Users Tracker bring?The application offers more than simple reporting about inactivity in the environment. It has options to allow the software to take action on accounts based on settings specified by the administrator. See Figure A below.
The management console for Inactive Users Tracker
Inactive Users Tracker will allow you to configure the following actions:
- Notify Manager After : Sends an email to the manager of the account, if configured in Active Directory.
- Set Random Password After: Change the account password to a random password.
- Disable Account After: Turn the account off.
- Move To Specific OU After: Move the account to a custom OU
- Delete Account After: Remove the account.
All action items occur after a set number of days as determined by the administrator. Each action also has its own days setting.
In addition to the actions you can configure Inactive Users Tracker to take, you can also set the scope in which the application will perform actions. The following scopes are available:
- Filter By Account Name
- Filter by Organizational Unit
- Process Computer Accounts
The option to process computer accounts allows IT to clean up stale computer accounts within the directory. This feature seems particularly useful to me for the times when a machine goes down or gets replaced or repurposed and the original account is not cleaned up right away.
So what does it cost?
The feature set provided by Inactive Users Tracker is very impressive and seems like it might be extremely useful in a good number of Active Directory environments. However, it has been my experience that tools that work very well, especially to automate things in a corporate environment, often cost a great deal of money.
With Inactive Users Tracker, that simply isn't the case. The application has two versions, freeware and commercial. If you want to use just the reporting features of the program to find the inactive accounts, the freeware version will work perfectly. However, to perform actions on user accounts you will need to use the commercial version which starts at $.80/user account for the first 150 users. So you would spend about $120 to automate user account cleanup for the first 150 user accounts. Above 150 accounts the price per user gets even cheaper.Bottom Line
Give Inactive Users Tracker a try, the application comes with a 20-day trial for commercial and is a great deal for the money. Even if you only use it to get a feel for the number of inactive user accounts in your environment, it may be worth taking a look at NetWrix Inactive Users Tracker.