Stale user accounts report in Active Directory

Stale (inactive) user accounts in Active Directory can provide attackers (and former employees) with an easy path into a corporate network. Even if the stale user account is not a privileged account, it can be used for privilege escalation attacks, such as Kerberoasting. Organizations must introduce the proper technical processes and department communication to remediate the risk of stale accounts in Active Directory. What Active Directory housekeeping procedures help to eliminate the risk of stale accounts?

• Disable user accounts that have either not been logged into at all, or after a specific time
• Remove group membership from disabled accounts and move these to special containers in Active Directory, such as a “disabled” OU for better visibility, and for blocking permissions to resources
• Delete stale accounts

PowerShell queries to find stale user accounts in Active Directory

Using PowerShell, administrators can find stale user accounts in Active Directory by querying the directory service for certain thresholds. Microsoft documents using PowerShell to find accounts that have not been logged in over a specific time.

The script below looks for user accounts where the password has not changed in the last six months:

$d = [DateTime]::Today.AddDays(-180)

Get-ADUser -Filter ‘(PasswordLastSet -lt $d) -or (LastLogonTimestamp -lt $d)’ -Properties PasswordLastSet,LastLogonTimestamp | ft Name,PasswordLastSet,@{N=”LastLogonTimestamp”;E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}

While PowerShell is a robust tool for working with accounts and performing Active Directory automation, relying on scripts to consistently monitor Active Directory account dangers, such as stale user accounts, can be cumbersome.

Specops Password Auditor Stale User Accounts Report

The free Specops Password Auditor provides excellent options for admins to have visibility into stale user accounts, in addition to other account and password related vulnerabilities. Below, we have run Specops Password Auditor against a test domain using the anonymized data option. As you can see, SPA provides quick and easy visibility to security concerns with Active Directory accounts, including blank passwords, breached passwords, identical passwords, stale admin accounts, and stale user accounts.

The Stale User Accounts displays the user accounts that have not been logged into recently. In addition, you can click each of the tiles to view more information about the specific category.

When we click the Stale User Accounts tile, we will be taken to the more detailed Stale User Accounts view, showing the complete list of users and an easy slider to define the days since the last logon threshold. It provides a much easier way to view and configure your query when compared to using low-level PowerShell scripts. You can also easily export the results to a CSV file for use with other tools.

Specops Password Auditor also provides excellent executive reports, capturing stale user accounts and other information to provide to compliance officers, C-level executives, etc.

Wrapping Up

Having visibility to stale user accounts is extremely important, as these can weaken an organization’s cybersecurity posture. In addition, it helps to bolster proper processes and procedures for onboarding and offboarding employees and ensures that good Active Directory housekeeping is performed. While you can use PowerShell and other scripts to find stale user accounts in Active Directory, Specops Password Auditor provides a much easier and more robust way to find and easily create reports on stale user accounts. Learn more about Specops Password Auditor here: Free Active Directory Password Audit Tool – Specops Password Auditor (specopssoft.com)