\[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected] and you might see the answer in this column!\]
Last week, my company's top management announced a significant number of layoffs. I know that disgruntled employees can harm an organization's IT infrastructure, especially if Windows NT 4.0 user accounts remain enabled after an employee has left the company. My company can't immediately implement provisioning software (i.e., software that automatically synchronizes different account databases based on a master database or directory) to address this problem. Such software could, for example, automatically disable an NT 4.0 account if the associated employee were deleted from the human resources (HR) department's database. For now, how can I detect and delete or disable unused accounts in the NT 4.0 security database?
You're right that most advanced provisioning software solutions (e.g., Systor's Security Administration Manager—SAM, Access360's enRole, Business Layers' eProvision Day One) support automatic detection and disabling of unused NT accounts. Until your company can invest in such software, you might consider Waveset Technologies' Waveset Risk Assessment Utility. This tool is free from the Waveset Web site (http://www .waveset.com), but you need to register to download it. The tool's setup file is about 15MB, so make sure you have a high-bandwidth connection to the Internet for the download.
Figure 1, page 14, shows the main interface of Waveset's Risk Assessment Utility. From this interface, you can scan a Windows domain for inactive, disabled, and locked accounts. Note that you can scan for a variable number of days of account inactivity. To perform a scan, simply click Scan This Domain. The tool asks you to confirm that you want to run the scan on a particular domain, then runs the scan and displays the results at the bottom of the dialog box. From the File menu, you can choose to dump the results of the scan to a file or send them to a mailbox.
After you have the scan results, you can send them to the administrators responsible for those accounts to take appropriate action. Alternatively, you can disable or delete the accounts yourself. You can do so manually one-by-one or automatically with a batch script. To do the latter, first dump Waveset's results to a text file. You can automatically delete or disable the accounts dumped into the file with a combination of the For and Net User commands or the Windows NT Server 4.0 Resource Kit Addusers (addusers .exe) utility. Before you can use these tools, you must prepare Waveset's output file. You can use a Perl or Visual Basic (VB) script, for example, to change Waveset's output file to the format these tools require.
The For command requires a file in which a predefined separator separates all account entries. The Addusers tool requires a specific input file format, which is documented in the resource kit.
Because the Net User command supports only account deletion (using the /delete switch), you can't use the For—Net User combination to disable accounts. You can use the Addusers tool both to delete and to disable accounts. To delete accounts, use Add users' /e switch; to disable accounts, use the /p:d switch.