Educause Security Discussion mailing list archives
Re: Account purge and reissue...
From: "Sonder, Henk E." <hsonder () RIC EDU>
Date: Wed, 9 Oct 2019 21:55:05 +0000
Jonathan, I am a but late to this conversation, but thought I would not hurt. * Every new person added to our ERP system is issued an account name 'for life', based on legal name and a unique Person ID from the ERP system. We apply the same single naming convention to every individual. * We do not purge the records (including account names) from our ERP system * Based on a daily feed from the ERP system the AD User Objects are created/updated, so when a we do purge AD user objects, the next time the same person starts a new relationship with the college, we create an AD User object based on the account name from the ERP system. * All employees have 2 email addresses, one based on the account name, we refer to that as the 'system-generated' email address, and one based on their 'Preferred Name', the 'friendly' email address. Therefore. the latter can change and is maintained in the AD. That means that if we purge the AD user object, that email address can be re-used. We park inactive accounts for a number of years before releasing the friendly email address. * We never have any duplicates as there can only be a one-to-one relationship. It rarely happens that a person is entered twice into the ERP system, but that only means that the person will have 2 accounts for a brief amount of time until we consolidate the 2 records into a single. * Even when a person has multiple roles, they only have 1 account and 1 mailbox (with 2 or more email addresses associated with it). * This has shown to be a robust system that we have been using over 15 years, with a naming convention realignment half way into this period. The AD UPN is pushed out (sync'd) to many other systems and we have yet to encounter a ghost/phantom account floating around in any of the systems. Thanks, Henk E. Sonder Director Information Security Rhode Island College 600 Mount Pleasant Ave Providence, RI 02908 Office: 401-456-9577 Email: hsonder () ric edu<mailto:hsonder () ric edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kimmitt, Jonathan Sent: Wednesday, October 9, 2019 3:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [EXTERNAL] Re: [SECURITY] Account purge and reissue... DO NOT CLICK links/attachments unless you recognize the sender and know the content is safe. Thank you to everyone that responded.. It is extremely helpful!!!! If anybody has additional information, please feel free to email off list, if that is appropriate! Thank you again! -Jonathan From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Kimmitt, Jonathan Sent: Wednesday, October 9, 2019 11:38 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Account purge and reissue... Hi all, We have run into an issue where we are wanting to purge user accounts from our active directory, but the process we are currently using also purges them from our ERP (the username and associated email) from the record (to never be known again). I am curious: 1. How other institutions do this 2. if they have run into any issues with reissuing the account to a new user (and the privacy issues along with that) 3. do you blacklist your accounts to prevent reissue for a number of years? Thoughts? -Jonathan ~ Jonathan Kimmitt CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E Chief Information Security Officer Information Technology The University of Tulsa 918.631.2743 Jonathan-kimmitt () utulsa edu<mailto:Jonathan-kimmitt () utulsa edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Cb9325321e6d8424464fb08d74cd718d8%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637062359026900571&sdata=pamOBS9OqgA58SzXBgMvQL0vEDBuc4oEDo3InUTbFDA%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- Re: Account purge and reissue... Mandi Witkovsky (Oct 09)
- Re: Account purge and reissue... Bingdong Li (Oct 09)
- Re: Account purge and reissue... Jones, Mark B (Oct 09)
- Re: Account purge and reissue... Jack Suess (Oct 09)
- Re: Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- Re: [EXTERNAL] [SECURITY] Account purge and reissue... Theodore J. August (Oct 09)
- Re: [EXTERNAL] [SECURITY] Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- <Possible follow-ups>
- Re: Account purge and reissue... Sonder, Henk E. (Oct 09)
- Re: Account purge and reissue... Mandi Witkovsky (Oct 09)