Re: Multiple of Single User Accounts

[Eric Case <ecase () EMAIL ARIZONA EDU>]

In my case, a nameing convention was selected.  Accounts in AD but outside
of LDAP start with duble underscore (__) and then an a for admin, e for
enterprise, s for service, etc. For example, if the account is __ajsmith It
very clear that the account is a privileged "admin" account for the normal
user jsmith.  

The AD groups that __sjsmith belongs to may be updated automaticly or
manualy by the campus units that jsmith works for.
-Eric


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barrera, Connie
> Sent: Wednesday, October 21, 2009 2:07 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Multiple of Single User Accounts
>
> Greetings to all:
>
> For the different folks who have responded to this thread.  How are you
> keeping the "roles" identified in AD updated and hence the associated
> access/permissions current?  At least at our school there is a lot of
> fluctuation between roles and departmental/position assignment.  There
> are often times individuals with dual assignments and it's difficult to
> keep access updated due to numerous processes- how do you reconcile
> this?
>
> While we currently have many automated processes in place to deal with
> terminations and transfers, we continue to search for improvements.  Is
> anyone leveraging a commercial IDM solution?
>
> Any insight into your respective solutions is greatly appreciated.
>
> Best regards,
>
>
> Connie Barrera, MCSE, CISSP
>   University of Miami
>   Security Manager, Information Technology
>   5915 Ponce de Leon, #41
>   Coral Gables, FL 33146-2500
>   O&F:  305-284-2773
>   connie () miami edu
>
>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Roger Safian
> Sent: Wednesday, October 21, 2009 4:52 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Multiple of Single User Accounts
>
> Typically we have a one user, on account policy.  There are some very
> limited exceptions to that rule, but, none of them are for students
> who are also employees.
>
> At 03:17 PM 10/21/2009, Daniel Bennett put fingers to keyboard and
> wrote:
> > What do you do when you have students who are also employees or vice
> versa?  Do you create two unique network and e-mail accounts for them
> or do they use a single account?
> > Daniel Bennett
> > IT Security Analyst
> > Pennsylvania College of Technology
> > One College Ave
> > Williamsport PA, 17701
> > 570.329.4989
>
>
> --
> Roger A. Safian
> r-safian () northwestern edu (email) public key available on many key
> servers.
> (847) 467-6437   (voice)
> (847) 467-6500   (Fax) "You're never too old to have a great
> childhood!"