| 85 |
| Take action on unused accounts |
| One way to protect your network is to regularly check for unused accounts. There might be |
| accounts that haven't been used for a long time because, for example, the user moved to another job |
| or were temporary contractors. Unused accounts on your network can be a huge security hole. |
| To find out if you have accounts without active users, get a list of all your employees and their |
| usernames and manually go through them. However, this method is impossible for large |
| corporations. An easier alternative is to check the last logon time for each user account. (All |
| computers and domain controllers remember the last logon date and time of a user.) Once you |
| identify which accounts haven't been used in a certain amount of time, you can take action by |
| There are several ways to do this. You can use the net user command. If you type "net user |
| username," it will display all sorts of data about the account, including the last logon time. You |
| could also use the Usrstat.exe utility from the Windows 2000 Server Resource Kit. A third way is to |
| manually check the Active Directory and look for the lastLogon property of each user account. You |
| will probably want to write a script that would do this for you. |
| You have to run must of such applications on each individual domain controller because the |
| lastLogon property in Active Directory isn't replicated to all domain controllers--it's local for each |
| Lastly, a more powerful (and more expensive) option is to buy a third-party application. To find one, |
| go to Google and search for "last logon." |
First Previous Next Last |