Hi

As part of PCI DSS verification I have run a query in AD to find the accounts that are inactive for 90 days and have disabled them manually. However PCI scan is still failing with below message;

Verify inactive accounts
For all accounts on the system verify that they havent been inactive beyond 90 days. You must have a process in place to identify and review inactive accounts that have not been
used in 90 days and either remove or disable them.

My question is what is the best way to find the accounts inactive for 90 days and to disable them?

Thanks

Regards

• Edited by Y a h y a Friday, August 21, 2015 9:44 PM

Hi

I used Active Directory Users and Computers and even Netwrix Auditor to find inactive users and computers and have disabled them. I however still get below error;

Verify inactive accounts 
For all accounts on the system verify that they havent been inactive beyond 90 days 

What could I possibly be missing?

Thanks

Regards

Have you tried using the tool active directory administrative center to find the objects? Link below should help.

http://blogs.technet.com/b/askpfeplat/archive/2013/03/19/four-things-i-like-about-active-directory-administrative-center-adac-in-windows-server-2012.aspx

Hi Jedi_Administrator

I tried below query but found no user. Error still persists.

Thanks

Regards

The link below is the builtin groups and accounts, are any of these the culprit? What about local accounts on the server such as guest  account? Also if the account has never logged into the domain or local PC then it will show as inactive.

https://support.microsoft.com/en-us/kb/243330