top of page
    • Sep 5, 2022

Are you checking stale user accounts in Active Directory?

Active Directory is still the core infrastructure element of most organizations' IT systems. It is the directory service providing authentication and authorization mechanisms for all employees.

However, an often overlooked aspect of Active Directory administration is regular entitlement check of user accounts in order to discover inactive accounts. It is precisely those accounts that often increase the attack surface and can be used by threat actors to infiltrate networks.


Over time, the volume of inactive or stale accounts tends to grow. So it's no wonder that Microsoft states that more than 10% of user accounts in Active Directory are detected as inactive, based on the user's last password change or last login. Outdated user accounts in Active Directory pose a significant security risk not only because of external threats, but also the risks of former employees misusing the access.


Each user account contains an Active Directory attribute PasswordLastSet, which records the last time the user changed their password. However, this attribute is not sufficient to determine which user account is truly inactive, especially because resetting password periodically is now considered an obsolete practice of very low value. Therefore, back in 2003, a new LastLogonTimeStamp attribute was introduced, which is replicated across every domain controller every time it is updated (although not immediately when someone logs on).


LastLogonTimeStamp is the standard to check stale accounts. To find them, one approach is to use a Powershell script as a scheduled task that periodically lists inactive accounts:


$d = [DateTime]::Today.AddDays(-180)

Get-ADUser -Filter '(LastLogonTimestamp -lt $d)' -Properties PasswordLastSet,LastLogonTimestamp | ft Name,PasswordLastSet,@{N="LastLogonTimestamp";E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}

In the example above, the script checks for accounts which have had no logon events in the last 180 days.


Unfortunately, Microsoft Active Directory does not provide or expose functionality to automatically perform such critical checks, so it's up to every organization to have a sound offboarding process, but also to confirm via scripting if all accounts are indeed still used.


bottom of page