Orphaned Accounts

Accounts that are left behind after they are no longer needed or a user leaves the organization are also known as orphaned accounts. Read on to learn more about the risks of these inactive accounts and how to eliminate them.

What Are Orphaned Accounts?

An orphaned account, sometimes also known as a stale account or ghost account, is an inactive, but still enabled user account in a network or system. The typical example of orphaned accounts are user accounts left behind in the Active Directory after employees leave an organization, but the term can also refer to accounts in third-party applications or other databases and platforms.

Accounts become “orphaned” when they are no longer needed but are not removed. Mishaps in internal communication can often lead to orphaned accounts, for instance if the HR department forgets to tell the IT team that a staff member is leaving the company and their accounts need to be closed. Similarly, when people are promoted or change departments, they may no longer need some of their old accounts. Ultimately, the problem is that tracking old accounts manually not only takes a lot of time, but also leads to errors. That’s why the easiest way to avoid orphaned accounts is to automate the user lifecycle management at your organization.

Note: Removing a user account without deleting the corresponding entry in the Access Control List can lead to an orphaned SID. These entries are largely harmless, but can make it more difficult to track SIDs.

Orphaned Accounts as a Security Risk

Although it’s tempting to think of abandoned accounts as just a bit of harmless clutter, you’d be wrong. For one thing, accounts that have outlived their purpose could still be using software licenses and contribute to the recurring costs at your organization. More importantly, however, orphaned accounts increase the risk of cyber attacks and employee data theft. If VPN clients and Microsoft 365 accounts are not disabled in time, former employees could theoretically use them to access company data at any point.

Similarly, old accounts are a popular target for hackers. Since they are no longer kept up to date, they often do not meet current safety standards such as password policies. Without a user to notice suspicious activity on their account, the risk of being caught when breaking into an inactive account is also lower. All of these factors make them a dangerous attack vector for cybercriminals. Take this report by the cybersecurity firm Sophos, for example, which details two cases in which hackers used orphaned accounts to smuggle ransomware into the company network.

How Common Are Orphaned Accounts?

As we just established, orphaned accounts pose a security risk to your organization and should be removed as soon as possible. Despite this, many businesses struggle to keep old and abandoned accounts under control.

The Data Risk Report by Varonis provides some facts and figures for this problem. In the manufacturing sector, 44% of the companies Varonis looked at had more than 1,000 orphaned accounts on their network. The numbers were even worse in the financial sector with 64 percent. Healthcare organizations scored worst of all with 79 percent having more than 1,000 abandoned accounts.

How to Find Inactive Accounts in AD

One option for tracking down orphaned accounts in your network is to run a PowerShell script to search for all Active Directory accounts that have not logged in for 90 days or more (for example). You can achieve this by using the Search-ADAccount CMDlet combined with the -AccountInactive parameter. We have provided a sample script below:

  • Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 90.00:00:00 |
    Where {$_.Enabled -eq “True”} |
    Sort -property LastLogonDate -desc |
    ft UserPrincipalName, LastLogonDate -autosize

However, the list this script produces is only the first step towards solving the problem and requires further investigation. After all, there can be legitimate reasons why a user has not used their account for a while (sabbaticals or parental leave, for example). If you do end up deleting users from Active Directory, you also have to remember to close any third-party accounts they might have that are not attached to their AD account.

To solve the problem of orphaned accounts long-term, you need to address the root cause: the error-prone process of IT admins manually removing accounts when (and if) they are told about changes in your organization. User and permission management with tenfold not only allows you to automatically update and remove accounts when roles change within your organization, but also makes it easy to track accounts and perform user access reviews.

You can learn more about the advantages of tenfold Identity and Access Management in our article What is IAM?

Whitepaper

Best Practices for Access Management In Microsoft® Environments

An in-depth manual on how to set up access structures correctly, including technical details. Also includes information on reporting and tips for implementation.

About the Author: Joe Köller

As a content manager at tenfold, Joe Köller dives deep into topics like compliance, IT security and access management. His interests also include digital media, American literature and gardening.