Proactive Inactive Account Cleanup with Cayosoft Administrator
Inactive Account Cleanup – Critical for Security & Compliance
Improve Security & Sustain Compliance Goals
In today’s networked environments, Inactive User Accounts are a favorite target of compliance and security Auditors. Inactive AD accounts pose a security threat since they could be used to compromise business systems, data or falsify attestation. Compliance requirements like SOX 404, PCI, SSAE 16 and HIPAA require software controls be in place to identify and securely deactivate inactive accounts so they are not misused.
Disabling Inactive Accounts is Not Enough
While detecting inactive accounts is important it is critical to secure the account so that it is not left in a still-vulnerable state. Simply disabling inactive accounts put security and compliance goals in danger because the accounts are only one check-box away from disaster. To properly secure unused accounts up to (9) separate properties and settings should be considered and possibly updated. These attributes include cleanup of group membership, updating attributes and possibly changing the object’s location. Because there are many options when securing an account, providing administrators and help desk a solution like Cayosoft Suspend ensures that the procedure is performed properly.
Last Logon, Last Password Reset and Creation Date must be considered
A popular approach to figuring out if an AD account is inactive is to inspect the attribute that is supposed to hold the user’s last logon details. Unfortunately, reading this attribute simply doesn’t work due to the default way this Active Directory attribute is replicated. Some vendors will insist that calling every AD Domain Controller for a user’s last logon is necessary, however making thousands of queries simply isn’t efficient and can return false positives and negatives. By considering more than just last logon attribute a complete picture of the account can be formed. This complete picture is requried, so non-interactive logons, newly provisioned accounts and users who are on long-term leave are not mistakenly suspended.
Automatically Find Inactive Users & Inactive User Cleanup
Admin Assistant proactively notifies admins when an inactive account is detected and can optionally Suspend those accounts, eliminating security and compliance issues while optimizing license use and cost. Continuous monitoring means administrators and help desk staff can spend time on more important matters.
- Email alerts to Admins or Help Desk when inactive users are detected
- Optional automatic disabling of inactive accounts
- Weekly Inactive Account Reports
- Avoids false positives when accounts are pre-created
- Sustains SOX 404, HIPAA and PCI compliance goals by serving as a required IT control
Automatically Secure Inactive User Accounts
Cayosoft’s Suspend for Active Directory adds new capabilities to Active Directory Users and Computers allowing administrators to automate deprovisioning tasks needed to correctly secure inactive user and group objects. These tasks are demanded by proactive IT and Auditors to sustain security, compliance and efficiency goals.
- Prevent User Authentication
- Prevent Group Use as a Security or Distribution List
- Update or Clear User Attributes
- Record and Clear Group Memberships
- Relocate Object to a holding OU
- Set Permanent Deletion Date/Time
Single Console Maintenance
Cayosoft Administrator addresses many on-going maintenance issues well beyond Inactive User Cleanup. From one console, Cayosoft Administrator gives you a broader on-going
- Find Inactive Users
- Inactive Groups & Empty Groups
- User Deprovisioning
- Detect users with Passwords that do not expire
- Account Expiration Notification