Re: [EXTERNAL] [SECURITY] Account purge and reissue...

["Theodore J. August" <Theodore.August () SALVE EDU>]

Hi Jonathan,

We only disable the accounts in Active Directory, and move them to a disabled OU.  All security groups on the accounts 
are removed as well on the disabled accounts.  We only purge/delete accounts when they are created in error.  When we 
disable the accounts, we provide a CSV to our ERP/SIS team, and they run a batch job to remove the e-mail address from 
the record.  If the account becomes active again, the ERP will trigger a CSV report to re-enable the account(s).

Any particular reason why you are deleting Active Directory accounts?  I remember many years ago when Active Directory 
wasn’t as mature and hardware wasn’t as powerful, it was recommended to delete accounts to keep the AD database 
manageable.  However, in recent years, while there is no best practice recommendations provided by Microsoft, most 
domains can handle tens of thousands of accounts without issue.   This was one of the reasons we decided to go the 
disable only route at our institution, since it seems to cause less problems than deleting the accounts in our 
environment.

Best,

Ted August
Senior Network Administrator
Office of Information Technology
Salve Regina University

Sent from my iPad

On Oct 9, 2019, at 12:38 PM, Kimmitt, Jonathan <jonathan-kimmitt () utulsa edu> wrote:


Hi all,

  We have run into an issue where we are wanting to purge user accounts from our active directory, but the process we 
are currently using also purges them from our ERP (the username and associated email) from the record (to never be 
known again).

  I am curious:


1.       How other institutions do this

2.       if they have run into any issues with reissuing the account to a new user (and the privacy issues along with 
that)

3.       do you blacklist your accounts to prevent reissue for a number of years?

Thoughts?

-Jonathan

~
Jonathan Kimmitt
CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743

Jonathan-kimmitt () utulsa edu


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C767370c63c2245ccc26708d74cd7184e%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637062359023455674&sdata=se1q7BSPO2ArSrgzW3wsCNHKzE3J6yTO8WoFqM1aUcE%3D&reserved=0>

*** This message was not sent from a Salve Regina University e-mail address. Please exercise caution when responding, 
clicking on links or opening attachments. ***

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community