Click here to get back home

User management issues
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
User management issues Vincent 07-20-2006
Posted by Vincent on July 20, 2006, 10:50 am
Please log in for more thread options
 At our company (approximately 2000 employees) we would like to streamline
the user account management process. I read the account management guide at
http://www.microsoft.com/technet/itsolutions/cits/dsd/acctmgmt/default.mspx,
but are still left with some questions some people might want to answer to.
Maybe you're struggling with the same things, in which case we can learn
from eachother. I'm looking for a practical, procedural or technical
solution for the following issues:

- Make sure that accounts are disabled the moment people leave the company.
At the moment managers are very sloppy with these kind of things. Accounts
remain enabled for months after someone leaves (after all, from their point
of view it's more important to get somebody going ASAP). I could go for the
scripting solution (e.g., creating lists of users who haven't logged on for
over 2 months and ask the heads of department who is still around), but then
it's ME again doing all the sorting and searching.

- Make sure ALL accounts are disabled. We don't have Identity Integration
Server, but I want to be able to track who has an account where, such as AD/
SQL/ backup applications/ LOB accounts. How is this solved? Creating a
database and (manually) update it every time an approved account request
comes in? We're not responsible for all LOB accounts, so that doesn't help
either.

- The place to approve account creation/ alteration/ deletion. Do you work
with a security officer responsible for these tasks? Right now someone in
each and every department is responsible for it. Unfortunately, some of them
rubber-stamp almost anything, from account permissions to applications.
Since we don't have a clear view on their business process, it's hard to
deny requests, especially with their manager support, even though we
sometimes raise our eyebrows (more than once really). The Microsoft document
mentions CAB meetings for severe cases, how about other things?

- Who should be the main force behind account alteration? Again, management
is not really interested in employees moving to other departments. However,
if we don't get that info, the user can access his/her old data, can start
up old applications, remains in distribution lists etc. Some of them remind
us of that, since they don't like the mails (they don't mind about the apps
though). Some of them, however, love to keep their nose where it should no
longer belong.

Many thanks for ANY input you guys have.



Posted by Miha Pihler [MVP] on July 20, 2006, 11:11 am
Please log in for more thread options
 Hi,

Very simple command that will show you which user accounts have been
inactive for X amount of weeks...

dsquery user -inactive 4

where 4 is 4 weeks and you can put in any number...

This should be a good start and it should be now easy to disable or delete
these accounts.

Some other answers from me (my opinion)...

> - The place to approve account creation/ alteration/ deletion. Do you work
> with a security officer responsible for these tasks?

I don't think that security officer should be included in creating /
deleting every account. He/She probably have enough other work to do. What I
do usually suggest is to sit down with security officer and write the policy
how and when to create / delete these accounts. Management should agree with
this policy (sign it) and all you have to do from now on is to follow this
policy (and change it when necessary - again with management approval).
Policies are not written in stone any more ;-).

Another thing that I like to avoid when ever possible is for IT to be in
charge of delegating and assigning permissions to resources. This should be
done by data owners. They have best information on which they can decide if
someone needs access to data (lists and other resources) or not (or when
he/she should be removed from access)... IT can (should) only help set this
up for the data owners (e.g. create groups, teach data owners how to add
users into groups) etc...

I know these can be hard and I still have customers that are not listening
to this (usually smaller ones). On the other hand I have customers that did
this and are very happy with such arrangements...

I hope this helps,

--
Mike
Microsoft MVP - Windows Security

> At our company (approximately 2000 employees) we would like to streamline
> the user account management process. I read the account management guide
> at
> http://www.microsoft.com/technet/itsolutions/cits/dsd/acctmgmt/default.mspx,
> but are still left with some questions some people might want to answer
> to.
> Maybe you're struggling with the same things, in which case we can learn
> from eachother. I'm looking for a practical, procedural or technical
> solution for the following issues:
>
> - Make sure that accounts are disabled the moment people leave the
> company.
> At the moment managers are very sloppy with these kind of things. Accounts
> remain enabled for months after someone leaves (after all, from their
> point
> of view it's more important to get somebody going ASAP). I could go for
> the
> scripting solution (e.g., creating lists of users who haven't logged on
> for
> over 2 months and ask the heads of department who is still around), but
> then
> it's ME again doing all the sorting and searching.
>
> - Make sure ALL accounts are disabled. We don't have Identity Integration
> Server, but I want to be able to track who has an account where, such as
> AD/
> SQL/ backup applications/ LOB accounts. How is this solved? Creating a
> database and (manually) update it every time an approved account request
> comes in? We're not responsible for all LOB accounts, so that doesn't help
> either.
>
> - The place to approve account creation/ alteration/ deletion. Do you work
> with a security officer responsible for these tasks? Right now someone in
> each and every department is responsible for it. Unfortunately, some of
> them
> rubber-stamp almost anything, from account permissions to applications.
> Since we don't have a clear view on their business process, it's hard to
> deny requests, especially with their manager support, even though we
> sometimes raise our eyebrows (more than once really). The Microsoft
> document
> mentions CAB meetings for severe cases, how about other things?
>
> - Who should be the main force behind account alteration? Again,
> management
> is not really interested in employees moving to other departments.
> However,
> if we don't get that info, the user can access his/her old data, can start
> up old applications, remains in distribution lists etc. Some of them
> remind
> us of that, since they don't like the mails (they don't mind about the
> apps
> though). Some of them, however, love to keep their nose where it should no
> longer belong.
>
> Many thanks for ANY input you guys have.
>
>



Posted by Joe Richards [MVP] on July 20, 2006, 9:07 pm
Please log in for more thread options
> - Make sure that accounts are disabled the moment people leave the
company.

Unless you are somehow plugged into the process of removals this is
going to be difficult. Quite honestly you should be getting a feed from
HR for all users who have been terminated so the proper IT work can be
accomplished. That should all be automated, the feed comes down, some
automated process disables the accounts. You should on top of that have
a way for managers to initiate an immediate lockdown because just
getting someone out of the building is generally not enough to protect
your assets any more.

While you can chase after the unused accounts, that is a silly way to
tackle this but I have a tool that will generate nice reports or
disable/delete/move computer and user accounts based on password ages or
lastlogon (assuming in DFL2 domain). It is called oldcmp and you can get
it here

http://www.joeware.net/win/free/tools/oldcmp.htm


> - Make sure ALL accounts are disabled. We don't have Identity Integration
> Server, but I want to be able to track who has an account where, such
as AD/
> SQL/ backup applications/ LOB accounts. How is this solved? Creating a


If you aren't using SSO or a provisioning/deprovisioning system then you
must instigate a GOOD process to keep track of this stuff and a GOOD
process to clean it up properly.


> - The place to approve account creation/ alteration/ deletion. Do you
work
> with a security officer responsible for these tasks? Right now someone in

Not once have I seen this stuff handled by a security officer. That
isn't what they are they for. Generally the folks in the department
controlling the resources are the best suited to make the decisions on
whether someone can have access to their resources. If you have it
configured such that person A in Dept A can give access to resources
under the purview of person B in Dept B that needs to be corrected.
People giving access to a resource should care enough about that
resource (i.e. own it) so that access isn't granted to people it
shouldn't be granted to.


> - Who should be the main force behind account alteration? Again,
management
> is not really interested in employees moving to other departments.
However,
> if we don't get that info, the user can access his/her old data, can
start

If this isn't being pushed by the people who are aware of the changes,
there isn't a lot you can do about it. About the best you can do is get
management to establish a policy that groups that grant access need to
be reviewed by the group owner once per quarter or per year or some
other period and if they fail to remove someone that they should have
and there is a compromise, they are on the hook for the damage.


The whole last paragraph on who has access to what really isn't an IT
thing. It is about how the resource owner (whether that resource be info
in an email or a file or access to an app) feels about their resource
and who should have access. If they don't care that someone who isn't in
the dept anymore has access then you should point it out as an issue and
then drop it as it really isn't your business and IT workers in general
have a lot of work to do without going and looking for more.




--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Vincent wrote:
> At our company (approximately 2000 employees) we would like to streamline
> the user account management process. I read the account management guide at
> http://www.microsoft.com/technet/itsolutions/cits/dsd/acctmgmt/default.mspx,
> but are still left with some questions some people might want to answer to.
> Maybe you're struggling with the same things, in which case we can learn
> from eachother. I'm looking for a practical, procedural or technical
> solution for the following issues:
>
> - Make sure that accounts are disabled the moment people leave the company.
> At the moment managers are very sloppy with these kind of things. Accounts
> remain enabled for months after someone leaves (after all, from their point
> of view it's more important to get somebody going ASAP). I could go for the
> scripting solution (e.g., creating lists of users who haven't logged on for
> over 2 months and ask the heads of department who is still around), but then
> it's ME again doing all the sorting and searching.
>
> - Make sure ALL accounts are disabled. We don't have Identity Integration
> Server, but I want to be able to track who has an account where, such as AD/
> SQL/ backup applications/ LOB accounts. How is this solved? Creating a
> database and (manually) update it every time an approved account request
> comes in? We're not responsible for all LOB accounts, so that doesn't help
> either.
>
> - The place to approve account creation/ alteration/ deletion. Do you work
> with a security officer responsible for these tasks? Right now someone in
> each and every department is responsible for it. Unfortunately, some of them
> rubber-stamp almost anything, from account permissions to applications.
> Since we don't have a clear view on their business process, it's hard to
> deny requests, especially with their manager support, even though we
> sometimes raise our eyebrows (more than once really). The Microsoft document
> mentions CAB meetings for severe cases, how about other things?
>
> - Who should be the main force behind account alteration? Again, management
> is not really interested in employees moving to other departments. However,
> if we don't get that info, the user can access his/her old data, can start
> up old applications, remains in distribution lists etc. Some of them remind
> us of that, since they don't like the mails (they don't mind about the apps
> though). Some of them, however, love to keep their nose where it should no
> longer belong.
>
> Many thanks for ANY input you guys have.
>
>

Similar ThreadsPosted
Simple user/password management? July 6, 2005, 11:50 am
User account management and information functions usage with trusteddomains October 27, 2005, 3:55 pm
User account management and information functions usage with trusteddomains November 2, 2005, 3:16 pm
Re: more AD CS issues January 17, 2008, 8:46 pm
vpn security issues March 7, 2006, 1:25 am
Certificate Services Issues October 19, 2005, 1:45 am
SBS 2003 - XP SP2 - Firewall GPO issues December 7, 2005, 1:25 pm
RDP: remote desktop issues September 23, 2007, 3:13 pm
Password Management Issue July 11, 2005, 12:19 pm
Patch Management for Non-MS Products October 3, 2005, 1:13 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap