A common attack vector for hackers is to look for aged accounts that are still enabled, either that have some administrative access and begin process of lateral movement and/or privilege escalation.
Using some PowerShell, you can quickly find users who have not logged on via active directory for x amount of time.
This should be ran on either a Domain Controller or via RSAT on your local computer.
Install-module ActiveDirectory
Import-Module ActiveDirectory
$SaveLocation = "<Enter Location to save the CSV File>"
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90.00:00:00 |
Where-Object { $_.Enabled -eq $true } |
Get-ADUser -Property DisplayName, LastLogonDate |
Select-Object DisplayName, SamAccountName, LastLogonDate |
Export-Csv "$SaveLocation" -NoTypeInformation
Creating a scheduled task to run this at a set interval will help you keep on top of inactive accounts.
While most companies will have a procedure to offboard users, it is not unheard of to disable an account and leave it within an OU instead of moving them away into a separate OU for clarity and also to stop it syncing with Azure ADSync.
Categories: