Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is Dormant account?
A dormant account is a user, admin, service, or guest account that remains enabled but has shown no valid sign-in, activity, or access usage for a defined period. In identity and access control, it is risky because attackers can exploit unused credentials without immediately disrupting active users.
Why dormant accounts matter
Dormant accounts expand the attack surface. They may still hold application access, device permissions, VPN rights, or privileged roles even after an employee changes role, leaves the company, or stops using a system.
Microsoft notes that obsolete inactive accounts represent a security risk, and NIST SP 800-53 AC-2 expects organizations to disable accounts after a defined period of inactivity or policy triggers.
Dormant vs inactive vs orphaned accounts
| Account type | Meaning | Main risk |
|---|---|---|
| Dormant | Enabled but unused for a set period | Silent misuse |
| Inactive | No recent login or activity | Credential exposure |
| Orphaned | No valid owner or associated user | Uncontrolled access |
How do organizations identify them?
Security teams usually track last sign-in, last password change, device enrollment status, app usage, role membership, and HR employment status. A strong policy defines different thresholds for workforce users, contractors, admins, guests, and service accounts.
How should dormant accounts be handled?
Organizations should review ownership, validate business need, remove unnecessary privileges, disable the account, and delete it after retention requirements are met. High-risk accounts, such as privileged or external accounts, should follow shorter review cycles.
FAQs
No. A dormant account may still be enabled and usable. A disabled account has been blocked from authentication.
There is no universal number. Many organizations define 30, 60, or 90 days based on risk, account type, compliance needs, and operational impact.
Privileged accounts can change configurations, access sensitive data, or create new users. If attackers compromise one, they can escalate access quickly.
Hexnode supports endpoint and access governance by helping IT teams maintain visibility across managed users, devices, and security posture. In a UEM-led security strategy, Hexnode helps organizations enforce policy, reduce unmanaged access paths, and strengthen lifecycle controls across corporate endpoints.