If you just check for dormant user accounts--can users who roles have changed or been terminated still have access?

A frequent source of risk in AD is user accounts that have not been disabled even though the person is no long associated with the organization. (e.g., an employee who has been terminated). It is crucial for HR or managers to inform IT when employees are terminated or when other relationships (such as a contractor relationship) end. IT staff responsible for account management also need to know when users change jobs or other roles so that the users’ group memberships and other entitlements can be revised. Looking for dormant accounts does not address this problem


As simple as this might sound, organizations commonly fail to implement a working process to disable user accounts or to change entitlements when a user’s status changes. During IT audit interviews, when asked what the procedure is for disabling departed users, Randy Franklin smith has observed staff answering that they regularly check for dormant user accounts and disable accounts that have not logged on recently. This is not an effective control for the risk at issue. After all, if someone is still accessing the network after being terminated, their account will never show up as being dormant and hence will never be disabled.


The following are three ways that some organizations use to fulfill this vital requirement, beginning with the most preferable:


• Most organizations have a clearly defined and strictly executed process for removing a user’s physical access to the building; make account disabling part of this process.

• If your HR application includes workflow, configure it to automatically send an email to account administrators when a user is terminated or when a user’s job title or manager changes.

• Most HR applications allow you to schedule automatic report delivery; schedule a daily report of terminations and job changes to be delivered to account admins.


The bottom line is that to comply with any regulation framework, an organization must disable accounts and adjust entitlements whenever a user’s status changes. Whichever process is selected, management should understand its importance and responsibility should be clearly defined.


Read all of Randy's 10 Steps for Cleaning Up AD Accounts