AD Account Management

Posted on 2009-04-21
Last Modified: 2013-11-05

I am after some idea on how you manage user accounts in your active directory environment?

Our organisation, like many others, has IT Support outsourced to an external vendor who is responsible for physically creating new users, modifying permissions, and terminating employees network access who have left the authority.

My question is, what controls do you have in place for new employees requiring a login. Who inititates the call with your IT vendor to get this new starter setup on your networks? Management, or users themselves? How do you overcome potential fraud and social engineering type attacks? How is the AD alias and password communicated to the new starter?

Also same for employees who have left your organisation?

Any do's and dont's would be much appreciated, or account management procedures that you use and can recommend to mitigate risks to your AD environment would be most welcome.

Question by:pma111
    LVL 19

    Accepted Solution

    Well, you should never let users themselves place a request for a new user account, unless they are some kind of power user. I would suggest it would be management that requests this, but this may not be that plausible depending on managements availability and the time scale you have to get these accounts created.

    Here we have a procedure where only authorised personell (basically department heads) can submit a New User Form, containing all the relevant info for the new user to be created. In some departments the department heads have delegates who can also raise the forms, but we must have written notification of this, and we keep a record of all the authorised form submitters.

    Usernames and Passwords are communicated via phone, and of course, default behaviour for us to set the user account to change password at first logon, so we set a generic password of our choice, and then when the user first logs in, they are forced to set their own password.

    The clean-up of accounts etc is carried out in a similar way, we are notified of anyone leaving and we disable their accounts immediately (when they've left anyway). The accounts are then left disabled for about a month, at which point they are deleted during monthly 'housekeeping' operations.

    I think it's very dependent on many various factors as I mentioned at the start. You don't want huge delays in account creations because the only people authorised to request them were not available at the same time or something.

    We also define the time we have to set up a new user, so the requestors know to submit these forms at least 2 days before the new users start date. But then, our new user creation procedures are quite complex, as there's a lot more than just the user account itself...

    That is how it's done here at least, not sure if there's anything useful to you in there somewhere... O.o

    LVL 18

    Assisted Solution

    The request should definitely coming from Human Resources. The request from HR should include other department such as Building Servvices(access card, phone etc), Payroll, and Help Desk(PC, Mail, Login etc). The HR request should also indicates the new hire's immediate manager. This manager will do the approval as far as what Active Directory groups(application, drive mappings, etc) the new hire should be a member of. Hopefully each AD group you create in the domain has info indicating the owner of the group. Owner of the Group usually the requestor of the group or the manager of the group(ie, a group usually used to grant access to a network share etc.). Other question is the "Domain Users" group. This group is by default set as the Primary group in AD. For consultant or non employee, this should also indicate in advance from HR so that when helpdesk create the account, it is for consultant or non employee. This is important in case where if your company has network share opened to all Domain Users but you don't want consultant or non employee to have access then you need to set the user's defatult to may be the department share and remove the Domain Users group. Unless you already have a company group create in AD and Domain Users is used bor everyone including consultant etc.

    For user leaving the company, same process, but most important is when to disable the user account. This usually the termination date. Then, a process will be based on the revert of the above. In addition, you need to find out what to do with the user's home folder. Some company treated it as personal home folder and just freeze for a year and trash. Some company treated as company data and thus verify with the user's immediate manager as to what to do with. One thing to be careful here is some manager will say, put it in my home and never look at it. Some manager will say grant me access to the user share. The later one will create follow up and may not comply with your home folder rule which only the domain admin/or helpdesk plus the user himself should have access. Finally, follow up with clean out user account. This one also could create other concerns where some employee got terminated but rehire as an employee for a different deparment or as a consultant. My recommedation is not to reuse the disable account. If you do reuse it, your helpdesk process should including removing all the deparmental groups etc. Unless the user is rehire for the same position, which is not likely but possible.
    LVL 3

    Author Comment

    Hi PeteJThoma

    Thanks for your response. Is communicating over the phone open to social engineering, i.e. pretending to be hr officer? Or do your it support ask security questions?

    Thanks both posters, some great pointers
    LVL 19

    Expert Comment

    Not in our case, but that's because we (I work in the IT department) know most employees in the company quite well by voice (lots of us have worked here for quite a few years!).

    I would imagine it's not too hard to implement something like you're suggesting though, i.e. when the necessary forms are submitted / procedures completed to request a new user, add an area for some secure piece of information (I would suggest DOB or something, as you don't want to make it TOO complicated) and have the end user confirm who they are with that. I doubt any IT outsourcing company would be able to object to security measures like this. I wouldn't look good on them, that's for sure.

    Password details should not be passed in the reverse situation, i.e. it should not be necessary for anyone to ask for someone's password once the user themselves have it. Of course there are exceptions (especially with HR investigations etc) but these are rare.

    If you're referring to someone posing as HR to request the account in the first place, we actually have a database they use to submit the form which has an Access Control List, so unauthorised users literally can't open the DB to raise the form, and that's how we control that aspect of it.

    It all works very well for us, but of course everyone's needs are different, and the 'model' should be customised to best suit your situation. Sometimes enhanced security makes sense, other times it creates more hassle than it's worth.

    You can implement security measures that make it virtually impossible for fraudulent requests, but if that means it takes 3 weeks for the process to be completed, it's not usually any good, so you need to balance security and efficiency really...

    I hope that answered your last post? If not, elaborate, and I'll try to explain a little better/differently. :)


    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now