Automatically detect orphaned user accounts

Last updated: March 23, 2022

The things that turn out to be security-relevant in today’s IT world amaze many. Because almost every day, new vulnerabilities or backdoors in the known operating systems and programs are not only published, but actually exploited. A tidy and spotlessly clean IT network is therefore a must for every professional IT department.

But not every vulnerability comes from a newly discovered security hole. Sometimes we build some holes into our system ourselves, which are so individual that normal patches and updates are no match for them. Today we are talking about orphaned user accounts that have been created but never used or have not been used for a long time.

Existence outside of security policies

As in most companies, there are many guidelines for user management in order to keep the security of the IT network as high as possible. This includes restricting access from outside or limiting it to certain locations, implementing multiple secure access (MFA – Multi Factor Authentication) and also requiring users to change their password every few months.

But what happens to user accounts that were created in the system at some point but never used? Don’t they exist? Well, that certainly happens faster than some people realize.

In almost every company, it can happen that an applicant changes his mind at the last moment and decides not to sign the employment contract shortly before joining the company. As a rule, however, all user accounts, authorizations and possible equipment have already been prepared and set up in advance for the supposed new employee.

When the communication chain breaks

And the information chains do not always function to the desired extent across all areas of a company without a hitch. Of course, the HR department (Human Resources), the management and the affected department know about it. Often, however, that’s as far as it goes, and unless people happen to talk about the supposed new employee’s absence in the cafeteria, it’s quickly forgotten.

If the IT department is not specifically informed of this circumstance, it can happen that the freshly created user account waits for a long time for its first login. Or the deletion may slip into the background due to other priority work. As we know, an IT department often has to react quite quickly to events, and simple administrative tasks tend to take a back seat.

And so a previously unused account lies dormant for days, weeks or even months, well hidden in the domain administration. With a simple “starter” password like “123GotIT!” or similar creative wording.

The horror scenario that never happens – hopefully.

There are, of course, other ways to have such a user corpse in the system. For example, a test account. A special account for a software. Or even accounts that were assigned to a user at some point and also used, but which have not been in the company for a long time.

Of course, in a company with 20 employees, this may be noticeable when eager system administrators roam the IT domains. With hundreds of users or even different locations, where many of the colleagues are not even known, this becomes rather difficult.

To make it clear – danger does not always come from hackers alone. Colleagues who are too curious can also gain access to such accounts with a little gumption. Because the naming of the user account is always structured in the same way in the company. Parts of the first name and last name are usually at the top. And the password. Yes, the password. This is usually the password that has been assigned to the newcomer for years. Remember it? “123GotIT!”.

Remedy through regular control

With Docusnap, we take the wind out of this danger right from the start. From the very first installation, Docusnap provides reports for various evaluations. Among other things, so-called “user corpses” can be displayed quickly and clearly. All user accounts that have never logged on to the domain are listed.

Auswertung verwaiste User-Accounts

Newly created user accounts that have never been used are not the only way to compromise the security of a network. It is just as important to cleanly remove employees who have left the company from the IT environment.

Here, too, Docusnap helps in the form of a report. Another report is available for this purpose, in which the evaluation is performed after the last login. And this date can be set as desired. For example, with one mouse click, all accounts that have not logged into the system for 90 days can be displayed.

Of course, we do not limit ourselves to one-time actions. After all, an evaluation only makes sense if it is also carried out on a regular basis. Docusnap also supports you in this in the best possible way.

More security through automatic processes

A regular and, above all, automatic evaluation can be set up with just a few mouse clicks. As a result, an overview can be sent by mail once a month, for example, without the need for further interaction with Docusnap.

This not only saves a lot of time, but also helps to keep your IT network always up-to-date and clean.


Docusnap is the market leader among professional IT documentation solutions in Germany. Docusnap is constantly being adapted and expanded to meet new challenges that the Internet brings to our daily IT business.

If you would like to benefit from the advantages of a professional IT extension, but have not yet decided to use it, we offer you a completely free 30-day trial version.

And because we want you to experience the benefits of Docusnap from the very first moment, even during this free trial period, our team of experts will be at your disposal from day one to assist you with any questions you may have regarding the installation, setup and operation of Docusnap. Also free of charge. Let’s start!