Recently, while discussing what makes a healthy Active Directory, the idea of users who have never logged on came up. They have an Active Directory user account but for some reason have never logged on to the network.
None of us in the discussion could come up with a single valid reason to keep that user account. We came up with just under a ton of scenarios for user accounts that don’t log in very often but never?
What if it’s a service account? Well, if it isn’t logging in, it isn’t doing much for the application that needs it. What about a test account? Well, not much testing has ever been done with it. A user who forgot his/her password before logging in and just had another one created? No need to keep it then.
There could be security implications to keeping them. What if some devious admin created it and is keeping it around for “just in case”. That happens as the recent Harris survey showed that “One in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they’ve left the organization”.
We know it’s a problem, but what can you do about it? Delete them, no questions asked. How do you know which accounts have never logged in, then? GroupID Reports, a free tool from Imanami.
Just run the report on users who have never logged in, go into ADUC and get rid of them. It’s that simple and it’s free. Click here to download.