There is turn over in every company. Employees come and employees go. Along with the human leaving the company, the user account in Active Directory associated with the human must also be taken care of. The task and process of taking care of these user accounts in Active Directory is called de-provisioning. De-provisioning can range from manual management, which can be very time consuming depending on how many employees are leaving the company, to highly managed with elaborate scripts and management procedures. I find that most organizations that don’t have the man power, knowledge about scripting, money to spend on expensive tools, or time to create the automated procedures are forced to manually de-provision users when the employee leaves. This manual or partial scripted process can leave user accounts in an insecure state, which leaves the organization exposed to an attack.
Security Exposure of Incorrectly De-provisioned User Accounts
First, let’s discuss how not correctly managing a user account could leave the Active Directory, and therefore the network and resources, exposed to an attack.
- User account is not disabled – When a user account is not disabled anyone with the password can logon to that account. It is typical, however very insecure, to have the “manager” or “cross trained” employee to log on to the separated user account to check email and gain access to data that the ex-employee had access to.
- User account is not moved to a secured organizational unit (OU) – Separated user accounts should be moved to OUs where Group Policy Objects (GPOs) are linked to lock down the user account, just in case someone logs in as the account. GPOs can strip away access, features, menu options, and more. This would leave the logged in user with just basic tasks that could be performed on the computer where they logged in.
- User account is not removed from groups – Access to data and other network resources is typically granted by group membership. When a user is not removed from the groups, the access is still available if someone could log on as that account. Removing the user from the groups would immediately remove the user from accessing the data where the group has been granted access.
De-provisioning of User Accounts
There are many methods that can be used to de-provision users. The most basic is the manual procedure. This method is often the most insecure, as time is of the essence and if the entire procedure is not performed on all separated users, security exposures listed above could be left untouched. If a manual procedure is used it takes a dedicated administrator to ensure that the separated users are manually disabled, moved to a protected OU, and then all group membership is stripped away. If only one of the above security related procedures is done, it should be the disabling of the user account.
There are other potential methods to de-provision users, which can prove to be suitable. There is scripting, whether this be VBScript, a batch file, Powershell, or other scripting languages and techniques. Scripts must be regression tested and then have some power to know which user accounts to de-provision when the time comes. In most cases the script will be manually started, with the users being fed to the script to ensure the correct users are selected. There are some systems which can work with both Active Directory and the Human Resources (HR) system to know which users are separated and that then feeds the separated users to Active Directory for them to be secured properly.
Ideal User Account De-provisioning
The above manual and scripted options are viable solutions for user de-provisioning, but they do lack the efficiency that I am trying to achieve and impart on you. There are really two different situations which user de-provisioning comes into play. One is when we know the employees are going to need to be managed, let’s say 50 employee contracts end in 90 days. The second is when employees are separated from the company without any notice, yet we still need to manage their user accounts to protect them from an attack or inappropriate access to data.
With the first, ideally we want to have some policy in place which is going to automatically run in 90 days. We would want this policy to be easily setup and have knowledge around it so that it is not only tied to the 50 employees, but any employee which meets the criteria set in the policy. The policy could leverage specific attributes (or multiple attributes) of the user accounts. For example, I might want to leverage expiration of the user account, user accounts that have not logged in over a period of time, or even just a static listing of user accounts that I know need to be managed at a set time period. Most organizations could have these policies run nightly, so that the user accounts would be disabled and managed by the time the employees get to work.
The second option is just as simple as the first, with the correct tool in place. Once there is a list of employees which are separated from the company, the list can then be associated with the policy so that these user accounts are disabled, moved to the secured OU, and all group membership is stripped away.
A tool like ADManager Plus from ManageEngine is ideal for these tasks, as the tool is designed to do just this (along with other management tasks). Other benefits from a tool like ADManager Plus which you should look for include:
- Immediate reporting on which users were modified and what attributes were modified, in case you made a mistake.
- Interoperability with a monitoring tool, to have documentation of which users were modified and which attributes were modified. ADManager Plus interoperates with ADAudit Plus, which provides detailed reporting on any change that occurs to any object in Active Directory.
- Interoperability with a recovery tool, so that if user properties are changed incorrectly, a simple click can put the attribute back to the original setting without disrupting user access. RecoveryManager Plus works with ADManager Plus to ensure that any user deletion or modification can be rolled back to a previous state quickly and efficiently.
It is essential that user accounts for separated employees are de-provisioned. Without some means to ensure that separated emplmoyees’ user acocunts are disabled, secured, and no longer have access to data, these accounts are left exposed to attack and potentially inappropriate data access. Yes, Microsoft provides some level of automation with the use of Powershell, but there are other issues such as verification, reporting, monitoring, and recovery which Powershell does not provide. Actually, verification, reporting, and recovery of incorrect changes are either absent or nearly impossible using Microsoft technologies. Getting a tool, or suite of tools, which can make user de-provisioning efficient and complete is