Re: [EXTERNAL] [SECURITY] Account purge and reissue...

["Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>]

Hi Ted,

  I believe it was an attempt to ‘clean up’ AD, and to otherwise not sync so many accounts to the office365.

  We have somewhere around 50,000 accounts (a good portion of those are active) in our User’s OU, and only about 6000 
employees & students….  We have not done a good job of our AD management….  We also give all admitted students user 
accounts and emails, so we have thousands of accounts each semester that do not come to the university, but the 
accounts stay active.

I became aware of the issue of Systems deleting a significant number of accounts, when we went to disable a number of 
accounts from the most recent breach info, and found they were already disabled.  After some investigation we found 
they were in process of ‘deleting’ old accounts….  That’s when I started asking questions.

Out of curiosity, what do you use to manage the accounts?  We are currently using a very large powershell script 
(10,000 lines at last count), to create/disable accounts between our ERP and AD.

We have looked at several IDM tools (MIM, AdManage, etc), but nothing materialized.

Thank you for the information!

-Jonathan


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Theodore J. August
Sent: Wednesday, October 9, 2019 9:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] Account purge and reissue...

Hi Jonathan,

We only disable the accounts in Active Directory, and move them to a disabled OU.  All security groups on the accounts 
are removed as well on the disabled accounts.  We only purge/delete accounts when they are created in error.  When we 
disable the accounts, we provide a CSV to our ERP/SIS team, and they run a batch job to remove the e-mail address from 
the record.  If the account becomes active again, the ERP will trigger a CSV report to re-enable the account(s).

Any particular reason why you are deleting Active Directory accounts?  I remember many years ago when Active Directory 
wasn’t as mature and hardware wasn’t as powerful, it was recommended to delete accounts to keep the AD database 
manageable.  However, in recent years, while there is no best practice recommendations provided by Microsoft, most 
domains can handle tens of thousands of accounts without issue.   This was one of the reasons we decided to go the 
disable only route at our institution, since it seems to cause less problems than deleting the accounts in our 
environment.

Best,

Ted August
Senior Network Administrator
Office of Information Technology
Salve Regina University

Sent from my iPad


On Oct 9, 2019, at 12:38 PM, Kimmitt, Jonathan <jonathan-kimmitt () utulsa edu<mailto:jonathan-kimmitt () utulsa edu>> 
wrote:

Hi all,

  We have run into an issue where we are wanting to purge user accounts from our active directory, but the process we 
are currently using also purges them from our ERP (the username and associated email) from the record (to never be 
known again).

  I am curious:


1.       How other institutions do this

2.       if they have run into any issues with reissuing the account to a new user (and the privacy issues along with 
that)

3.       do you blacklist your accounts to prevent reissue for a number of years?

Thoughts?

-Jonathan

~
Jonathan Kimmitt
CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743

Jonathan-kimmitt () utulsa edu<mailto:Jonathan-kimmitt () utulsa edu>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C7d1a0bab6c2d4aaa7c7308d74d2cb0ad%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637062726664243998&sdata=rueHhyuM57O%2BtGsovZNauGAhZ8KW3H3R1lSWKeZA6Qg%3D&reserved=0>

*** This message was not sent from a Salve Regina University e-mail address. Please exercise caution when responding, 
clicking on links or opening attachments. ***

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7C7d1a0bab6c2d4aaa7c7308d74d2cb0ad%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637062726664253997&sdata=tdv3IuIA5fqD78SeUJhk7PrZGrFZQVaGD21SsHS8ALg%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community