Link to home
Create AccountLog in
Avatar of Josue Baires
Josue Baires

asked on

How to best manage interns and volunteers in Active Directory?

How do you manage interns and volunteers that are around for a short period of time?
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Put them into their own OU
could use temporary SAMaccount names
Definitely create an OU for them. That way it's easier to find them, apply group policies, restrict permissions, etc..
Be sure to limit their accounts based on the principle of least privilege.
Set the account expiration if known, along with the other things already mentioned.
ASKER CERTIFIED SOLUTION
Avatar of Aard Vark
Aard Vark
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Pau Lo
Pau Lo

I would agree with the above especially that if they are on a fixed term placement (same would go for agency staff who you may utilise for staff shortages – very common during the covid pandemic) then pre-populating an account expiration date would make sense.
There are a number of these challenging user groups, another I have come across is 3rd party software support accounts, who for arguments sake look after a line of business product installed on your servers, so require some degree of access for support tickets, upgrades and such like. For example they may have 5 support engineers who work on your contract, and whilst your HR department can tell IT when an employee leaves to disable or pre-populate an account end date, if one of those 5 support engineers leaves the software company, the onus is on the software company to inform you, and they may be ‘blind’ to what accounts are setup in your directory and their status for their staff. Often support duties are 24/7 365 days a year so you cannot re-enable them for a small timeframe each time access is required.
Ultimately HR in many organisations do not know about every user account in your domain.