If Active Directory User accounts are important for security—why are they so hard to maintain?

User accounts are important to security because they are the basis for authentication and initial access to the network, systems, and applications. They are difficult to maintain because they need to mirror the status and role of the human member of the organization that they represent during the lifecycle of the member and her user account.


Randy Franklin Smith provides 10 steps that you can take to remediate user account problems in AD and to prevent them from occurring in the future. These steps use native AD features and common workflow technology such as Microsoft SharePoint, so no significant prerequisites will hinder your ability to implement my recommendations.


Let’s take a look at just the first step.


Step 1. Perform regular account analysis


The single, easiest step to maintaining a clean and secure AD is to regularly review user accounts. If you take the time to extract and review a list of your user accounts and their main properties before an audit, you can quickly find and remediate many points with which auditors take issue. Filter the spreadsheet you just extracted to find non-compliant accounts. This will enable you to quickly filter on various user properties to find non-compliant accounts. Begin by identifying accounts with easy-to-find problems, such as a password that never expires. Then include filtering criteria on other columns, such as SAM ID or description, to eliminate service, application, and other accounts that you know to be exceptions.


These are easy problems to fix before the auditor comes and will reduce the number of risk findings on your audit. Also, another obvious problem to look for is dormant accounts.


Read more about Randy’s recommended 1st step to Cleaning up Active Directory User Accounts or listen to our recorded webcast