NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Difference between Disabled, Expired and Locked Account

Introduction:

The process of administering and monitoring the activities of the Active Directory service, which is typically found in Windows Server operating systems, is known as Active Directory management. The major goal of AD management is to automate Active Directory user provisioning operations, compliance with rules and audits, security, and centralized access to each user’s account and preferences. It is usually done manually by the network administrator, who makes use of the AD and Windows Server native administration and management tools and components.

How to manage User Accounts?  

 User accounts are among the most essential and widely used objects in Active Directory. They are used for workstation authentication and authorization, as well as in many services that are connected with AD. Sysadmins and help desk specialists spend the majority of their time managing user accounts. Installing RSAT tools or logging on from your Domain Controller is required for user management. Account Disabling, Account Expiration, Account Lockout, Blocking password change are some of the major features available for user management.

Disabled Accounts:

If an organization has a provisioning process in place for governing (automatically) the enabling and disabling of account status and (or) there is a good frequency of guest / vendor engagement, this process is very effective. Owing to the uncertainty attached to such a vendor engagement that has an uncertain expiry date, an automated process can’t be present.


Also, in a scenario where a vendor engagement needs to be controlled due to inactivity, the account can be disabled provisionally for security and can be re-enabled upon need.
To set a disabled account, follow the steps outlined below:

  • Open Active Directory Users and Computers (ADUC) snap in.
  • Right-click on the user object.
  • Go to Account -> Properties -> Account tab ->Account Options.
  • Select the Account is disabled checkbox.
  • Click OK.

To enable a disabled account, follow the steps discussed below:

  • Open Active Directory Users and Computers (ADUC) snap in.
  • Right-click on the user object.
  • Go to Account -> Properties -> Account tab ->Account Options.
  • Uncheck Account is disabled checkbox.
  • Click OK.

Locked Accounts:

An account can be locked automatically based on the organization’s Account Lockout Policy. Supposing such a process is not in place, the account could be compromised and prove fatal to the organizational data.

Since logs are generated in large volumes, it is impossible to crack a potential breach from an account that does not conform to the Account Lockout Policy or to disable every single account manually.

To set an account lockout threshold, follow the steps outlined below:

  • Open Group Policy Management Console (GPMC).
  • Right-click Default Domain Policy and select Edit.
  • Navigate to Computer Configuration -> Policies -> Windows Settings ->Security Settings -> Account Policy -> Account Lockout Policy.
  • Right-click Account lockout threshold and click Properties.
  • Go to the Security Policy Setting tab, click the Define this Policy Setting check box, and enter the required threshold value.
  • Click OK.

To unlock a locked account, follow the steps discussed below:

  • Open Active Directory Users and Computers (ADUC) snap in.
  • Right-click on the locked user and click Properties.
  • Go to the Account tab.
  • Select the option Unlock account checkbox. This account is currently locked out on this Active Directory Domain Controller.
  • Click OK.

Expired Accounts:

For organizations depending largely on contract-based assignments, this utility is a boon. Being able to sett an account expiry time saves you the trouble of having to remember to disable the account manually. When the contract comes to an end, the account automatically expires, thus providing no scope for security breaches. Also, if an account provisioning process is in place, this setting clearly adapts to suit it.

To set an account to expire, follow the steps below:

  • Open Active Directory Users and Computers (ADUC) snap in.
  • Right-click the user object.
  • Go to Account -> Properties -> Account tab ->Account Options.
  • In the Account Expire section, select the End of checkbox.
  • Select the desired date of expiry.
  • Click OK.

Key difference after Status change:

All accounts behave similarly after the change except, the only difference being that of the locked accounts. Where, the account remains locked only for a specified duration and can be ‘automatically’ unlocked upon completion of the said duration. If duration is set to 0, it will never be ‘automatically’ unlocked.

Event ID in logon event: 

Active Directory event logs can be seen using Microsoft’s native Event Viewer. You can use the event ID numbers listed below to diagnose and solve user account related problems on your network.

2003:

531: Logon failure. A logon attempt was made using a disabled account.

532: Logon failure. A logon attempt was made using an expired account.

539: Logon failure. The account was locked out at the time the logon attempt was
made

2008:

The 2008 equivalent of ALL failed logon events is: “4625: An account failed to log on”

Failure reason: Same as above

 How to find disabled, expired and locked accounts? 

Disabled Accounts:


Follow the steps below to find disabled accounts using PowerShell:

  • Launch the PowerShell console on your domain controller (DC).
  • Import the Active Directory PowerShell module to the DC with the following command:

Import-Module ActiveDirectory

  • Run the PowerShell script below to find the disabled accounts, paying special attention to the properties:
    Search-ADAccount –AccountDisabled –UsersOnly –ResultPageSize 2000 –ResultSetSize $null | Select-Object SamAccountName, DistinguishedName | Export-CSV “C:\Temp\DisabledUsers.CSV” –NoTypeInformation
  • To view the list of disabled accounts, open the CSV file produced by the script in MS Excel.

Note: Remove the Export-CSV component of the script if you wish to see the results as command prompt output.

Expired Accounts:


To identify expired accounts using PowerShell, follow the instructions below:

  • Launch the PowerShell console on your domain controller (DC).
  • Import the Active Directory PowerShell module to the DC with the following command:

Import-Module ActiveDirectory

  • Run the PowerShell script below to find the disabled accounts, paying special attention to the properties:
    Search-ADAccount -Server $ThisDomain -Credential $Creds -AccountExpired -UsersOnly -ResultPageSize 2000 -resultSetSize $null| Select-Object Name, SamAccountName, DistinguishedName, AccountExpirationDate.
  • If there are any expired accounts in your Active Directory domain, they will be listed in the PowerShell window’s output.

Locked Accounts:

Follow the methods outlined below to search for locked out accounts using PowerShell:

  • Launch the PowerShell console on your domain controller (DC).
  • Import the Active Directory PowerShell module to the DC with the following command:

Import-Module ActiveDirectory

  • Run the PowerShell script below to find the disabled accounts, paying special attention to the properties:
    Search-ADAccount -LockedOut
  • If there are any locked-out accounts in your Active Directory domain, they will be listed in the PowerShell window’s output.

The PowerShell result lists the locked accounts.AD management is a component of server or network monitoring and management activities that guarantee Active Directory is functioning properly. Everyday, IT administrators encounter various problems in Active Directory management, particularly in the management of Active Directory user accounts. Manually configuring user settings is tiring, time-consuming, and error-prone, especially in a complex Windows network. Furthermore, doing these tasks with native tools or PowerShell demands a deeper understanding of the complex AD management processes. Therefore, to improve the efficiency and efficacy of Active Directory management, a purpose-built solution that can simplify and automate these time-consuming activities while also providing comprehensive reports on AD objects is necessary.

Related posts
Active Directory Fundamentals

How to seize FSMO roles

Active Directory Fundamentals

How to transfer FSMO roles

Active Directory Fundamentals

Securing administrator accounts in Active Directory

Active Directory Fundamentals

How to install the PowerShell Active Directory module

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from IAMRoundup.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.