Educause Security Discussion mailing list archives
Re: [EXTERNAL] [SECURITY] Account purge and reissue...
From: "Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>
Date: Thu, 10 Oct 2019 03:08:55 +0000
Hi Ted, I believe it was an attempt to ‘clean up’ AD, and to otherwise not sync so many accounts to the office365. We have somewhere around 50,000 accounts (a good portion of those are active) in our User’s OU, and only about 6000 employees & students…. We have not done a good job of our AD management…. We also give all admitted students user accounts and emails, so we have thousands of accounts each semester that do not come to the university, but the accounts stay active. I became aware of the issue of Systems deleting a significant number of accounts, when we went to disable a number of accounts from the most recent breach info, and found they were already disabled. After some investigation we found they were in process of ‘deleting’ old accounts…. That’s when I started asking questions. Out of curiosity, what do you use to manage the accounts? We are currently using a very large powershell script (10,000 lines at last count), to create/disable accounts between our ERP and AD. We have looked at several IDM tools (MIM, AdManage, etc), but nothing materialized. Thank you for the information! -Jonathan From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Theodore J. August Sent: Wednesday, October 9, 2019 9:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] Account purge and reissue... Hi Jonathan, We only disable the accounts in Active Directory, and move them to a disabled OU. All security groups on the accounts are removed as well on the disabled accounts. We only purge/delete accounts when they are created in error. When we disable the accounts, we provide a CSV to our ERP/SIS team, and they run a batch job to remove the e-mail address from the record. If the account becomes active again, the ERP will trigger a CSV report to re-enable the account(s). Any particular reason why you are deleting Active Directory accounts? I remember many years ago when Active Directory wasn’t as mature and hardware wasn’t as powerful, it was recommended to delete accounts to keep the AD database manageable. However, in recent years, while there is no best practice recommendations provided by Microsoft, most domains can handle tens of thousands of accounts without issue. This was one of the reasons we decided to go the disable only route at our institution, since it seems to cause less problems than deleting the accounts in our environment. Best, Ted August Senior Network Administrator Office of Information Technology Salve Regina University Sent from my iPad On Oct 9, 2019, at 12:38 PM, Kimmitt, Jonathan <jonathan-kimmitt () utulsa edu<mailto:jonathan-kimmitt () utulsa edu>> wrote: Hi all, We have run into an issue where we are wanting to purge user accounts from our active directory, but the process we are currently using also purges them from our ERP (the username and associated email) from the record (to never be known again). I am curious: 1. How other institutions do this 2. if they have run into any issues with reissuing the account to a new user (and the privacy issues along with that) 3. do you blacklist your accounts to prevent reissue for a number of years? Thoughts? -Jonathan ~ Jonathan Kimmitt CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E Chief Information Security Officer Information Technology The University of Tulsa 918.631.2743 Jonathan-kimmitt () utulsa edu<mailto:Jonathan-kimmitt () utulsa edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C7d1a0bab6c2d4aaa7c7308d74d2cb0ad%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637062726664243998&sdata=rueHhyuM57O%2BtGsovZNauGAhZ8KW3H3R1lSWKeZA6Qg%3D&reserved=0> *** This message was not sent from a Salve Regina University e-mail address. Please exercise caution when responding, clicking on links or opening attachments. *** ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C7d1a0bab6c2d4aaa7c7308d74d2cb0ad%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637062726664253997&sdata=tdv3IuIA5fqD78SeUJhk7PrZGrFZQVaGD21SsHS8ALg%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- Re: Account purge and reissue... Mandi Witkovsky (Oct 09)
- Re: Account purge and reissue... Bingdong Li (Oct 09)
- Re: Account purge and reissue... Jones, Mark B (Oct 09)
- Re: Account purge and reissue... Jack Suess (Oct 09)
- Re: Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- Re: [EXTERNAL] [SECURITY] Account purge and reissue... Theodore J. August (Oct 09)
- Re: [EXTERNAL] [SECURITY] Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- <Possible follow-ups>
- Re: Account purge and reissue... Sonder, Henk E. (Oct 09)
- Re: Account purge and reissue... Mandi Witkovsky (Oct 09)