How to Manage Active Directory Test User Accounts in a Production Domain

Active Directory test user accounts are supposed to be created only in test environments. However, this may not be true in some cases where a new integration or update of a solution / software is in progress: Test accounts may be required to do the needed tests and checks in the production environment.

Unfortunately, Active Directory administrators may forget to remove test accounts after the end of tests. This is because they can be located under different Organizational Units and it may be difficult to identify them.

The following represents a method that can be used for an efficient management of Active Directory test user accounts. It includes:

1. Provisioning of test user accounts
2. Notification about expiry of test user accounts
3. Removal of test user accounts

Provisioning of test user accounts

To provision test user accounts, it is important to set a special flag for them in order to be able to quickly and efficiently identify them later.

An example of flags that can be set is the use of info attribute to have the following format for its value: “User-TestAccount Owner: owner@contoso.msft”.

If this is used then:

• You can identify Active Directory test accounts by running the following command: dsquery * -filter (&(objectCategory=person)(objectClass=user)(info=User-TestAccount*))
• You can identify the owner of the test account as his e-mail address will be registered in info attribute value

The following script allows the provisioning of Active Directory test accounts with the special flag described previously and setting an expiry date.

Management of test accounts in an Active Directory production domain - Part I: http://gallery.technet.microsoft.com/scriptcenter/Management-of-test-a1ea4fcb

Notification about expiry of test user accounts

When a test user account is about to expire, you can inform his owner to see if an extension of the expiry date should be done. The notification could be done via an e-mail notification that will be sent to the owner e-mail address which is already registered as part of info attribute.

The following script allows an e-mail notification of a test user account owner about the expiry of the user account.

Management of test accounts in an Active Directory production domain - Part II: http://gallery.technet.microsoft.com/Management-of-test-1a617140

This script can be scheduled to be running on Weekly basis.

Removal of test user accounts

When a test user account expiry date was exceeded and the owner have not requested an extension for the expiry date, the test user account can be automatically removed.

The following script allows removing automatically test user accounts that already expired and notifying their owners about the removal:

Management of test accounts in an Active Directory production domain - Part III: http://gallery.technet.microsoft.com/Management-of-test-982e4037

This script can be scheduled to be running on Weekly basis.

Other Languages

This article is available in other languages.

• Comment gérer les comptes d’utilisateurs de Test dans un domaine Active Directory de Production (fr-FR)