Many corporate security policies require that Active Directory user accounts must be disabled after 31 days of inactivity. This is a good practice; doing so keeps Active Directory secure and clean. For example, someone can create a user account, leave it untouched for many days, and then use it to perform malicious activity against an organization. Another example is employee retirement: User accounts are usually disabled when an employee quits an organization. Most HR databases only keep information about "primary" user account, but what if a user had additional user accounts?
Inactive Users Tracker automates the management of inactive user accounts. The program periodically checks all user accounts in specified domains, reports to you, and automatically disables all accounts inactive for more than a specified number of days.
This product has two important features:
- Checks all users in your domains and reports those accounts that have been inactive for a specified number of days.
- Automatically disables user accounts based on inactivity.
To detect inactivity, the tool checks the "lastLogon" attribute of every account, which represents the last time a user was authenticated by a specific DC. AD doesn't replicate this attribute; as a result, the lastLogon value will be different on each DC. Inactive Users Tracker handles this correctly: It queries all DCs in the domain and uses the most recent logon time, also called the "true last logon".
Inactive Users Tracker is provided free of charge for unlimited use by organizations and individuals.