User accounts are important to security because they are the basis for authentication and initial access to the network, systems, and applications. They are difficult to maintain because they need to mirror the status and role of the human member of the organization that they represent during the lifecycle of the member and their user account.
Randy Franklin Smith provides 10 steps that you can take to remediate user account problems in Active Directory and prevent them from occurring in the future.
We already looked at step 1 in an earlier post that focused on performing regular account analysis.
Now we are going to take a look at step 2:
Step 2: Link accounts to employee records
The most fundamental way to keep AD accounts clean and secure is to link all accounts to an actual human. This includes non-human accounts such as those created for services and applications. First let’s talk about accounts that are created for individual persons including end users, contractors, administrators, and others. First and foremost, any account that is assigned to an employee should be tagged in such a way as to positively link that account to the employee’s master record in your HR system. This link is crucial because employees’ access to your network and entitlements within it must be tied to their status and role within the organization. The official record of this is the master record in HR, which also has the best chance of being up to date. When an employee’s status or role changes, you must be able to find the employee’s accounts and change the status or entitlements accordingly. Documenting the employee ID on AD accounts is the key.
There are many ways to link AD accounts to employee records:
- Using the Employee ID or Employee Number attribute in AD
- Via the Attribute Editor tab
- Entering the employee ID in the Description or Notes field
- Embedding the employee number in the logon name