Educause Security Discussion mailing list archives

Re: Account purge and reissue...

From: "Sonder, Henk E." <hsonder () RIC EDU>
Date: Wed, 9 Oct 2019 21:55:05 +0000

Jonathan,

I am a but late to this conversation, but thought I would not hurt.


  *   Every new person added to our ERP system is issued an account name 'for life', based on legal name and a unique 
Person ID from the ERP system. We apply the same single naming convention to every individual.
  *   We do not purge the records (including account names) from our ERP system
  *   Based on a daily feed from the ERP system the AD User Objects are created/updated, so when a we do purge AD user 
objects, the next time the same person starts a new relationship with the college, we create an AD User object based on 
the account name from the ERP system.
  *   All employees have 2 email addresses, one based on the account name, we refer to that as the 'system-generated' 
email address, and one based on their 'Preferred Name', the 'friendly' email address. Therefore. the latter can change 
and is maintained in the AD. That means that if we purge the AD user object, that email address can be re-used. We park 
inactive accounts for a number of years before releasing the friendly email address.
  *   We never have any duplicates as there can only be a one-to-one relationship. It rarely happens that a person is 
entered twice into the ERP system, but that only means that the person will have 2 accounts for a brief amount of time 
until we consolidate the 2 records into a single.
  *   Even when a person has multiple roles, they only have 1 account and 1 mailbox (with 2 or more email addresses 
associated with it).
  *   This has shown to be a robust system that we have been using over 15 years, with a naming convention realignment 
half way into this period. The AD UPN is pushed out (sync'd) to many other systems and we have yet to encounter a 
ghost/phantom account floating around in any of the systems.

Thanks,

Henk E. Sonder
Director Information Security
Rhode Island College
600 Mount Pleasant Ave
Providence, RI 02908
Office: 401-456-9577
Email: hsonder () ric edu<mailto:hsonder () ric edu>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kimmitt, Jonathan
Sent: Wednesday, October 9, 2019 3:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [EXTERNAL] Re: [SECURITY] Account purge and reissue...


DO NOT CLICK links/attachments unless you recognize the sender and know the content is safe.
Thank you to everyone that responded.. It is extremely helpful!!!!

If anybody has additional information, please feel free to email off list, if that is appropriate!

Thank you again!

-Jonathan

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Kimmitt, Jonathan
Sent: Wednesday, October 9, 2019 11:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Account purge and reissue...

Hi all,

  We have run into an issue where we are wanting to purge user accounts from our active directory, but the process we 
are currently using also purges them from our ERP (the username and associated email) from the record (to never be 
known again).

  I am curious:


  1.  How other institutions do this
  2.  if they have run into any issues with reissuing the account to a new user (and the privacy issues along with that)
  3.  do you blacklist your accounts to prevent reissue for a number of years?

Thoughts?

-Jonathan

~
Jonathan Kimmitt
CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743

Jonathan-kimmitt () utulsa edu<mailto:Jonathan-kimmitt () utulsa edu>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Cb9325321e6d8424464fb08d74cd718d8%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637062359026900571&sdata=pamOBS9OqgA58SzXBgMvQL0vEDBuc4oEDo3InUTbFDA%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- Re: Account purge and reissue... Mandi Witkovsky (Oct 09)
  - Re: Account purge and reissue... Bingdong Li (Oct 09)
- Re: Account purge and reissue... Jones, Mark B (Oct 09)
- Re: Account purge and reissue... Jack Suess (Oct 09)
- Re: Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- Re: [EXTERNAL] [SECURITY] Account purge and reissue... Theodore J. August (Oct 09)
  - Re: [EXTERNAL] [SECURITY] Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- <Possible follow-ups>
- Re: Account purge and reissue... Sonder, Henk E. (Oct 09)