Troubleshooting Orphaned User Accounts

Important

Security considerations

Because orphaned user accounts are not owned by anyone and consequently are not monitored, attackers often use them to install and distribute malicious software, without being exposed.

Hence, orphaned user acocunts poses a security risk !

🤔 Problem

Note

If you are using local group validation and have specified a local group containing an orphaned user account and the domain controller is unavailable, it will some times take longer to validate elevation requests.

Note

AdminOnDemand.log

🌱 Solution

Detect and delete orphaned user accounts

Orphaned user accounts are accounts that no longer exist. Orphaned user accounts typically appear when an Active Directory account has been added to a local group and the Active Directory account is deleted afterwards.

Enumeration

Enumerating accounts in a group that contain orphaned user accounts often takes a considerable amount of time, especially when the domain controller is unavailable.

It can take up to 120 seconds to enumerate a group that contain orphaned user accounts.

In the example below, the domain controller is unavailable and the local group “LocalGroup1” does not contain orphaned user accounts, but the local group “LocalGroup2” does.

As a result, the PowerShell cmdlet “Get-LocalGroupMember” does not work when enumerating a group containing orphaned user accounts.