What is User Account Management?
Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Enabling & Disabling the user account as per the requirements. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
User account management can be summed up as CRUD (Create Read Update Delete)
Ultimately Active Directory is just a data store.
Modifying user account properties
Some of the properties that may need to be changed include
■ Names—changing because of marriage or any other reason for Name Change.
■ Address—changing office or department or building or transferred to new branch.
■ Phone numbers—changing location or country or office desk number.
■ Group membership—for example user changed the department from Finance to HR so Finance access needs to be removed & HR access needs to be provided.
■Active Directory needs to be updated to enable the organization to get the maximum benefit from it. It’s your job to keep it up-to-date.
■The AD attributes you’ll need to modify fall into two broad groups—single value and multiple value.
Attribute listing for a user account showing single and multivalue attributes. In a multivalue attribute the values are separated by semi-colons.
Refer below screenshot for your reference.
Please note: – Attributes can also be viewed by using ADSI Edit. (Active Directory Services Interface)
Enabling or disabling user accounts
- An enabled AD account is a potential security vulnerability for your organization. If the user’s logon details are compromised, an attacker could access company data.
- Accounts that aren’t being used but that are still required should be disabled so that they can’t be used to log on. Disabling is preferred for short-term prevention of access.
- Please note: – If you create new user accounts in advance of them being required, leave them disabled until the users actually need them.
- Enabling or disabling user accounts can also be performed using Powershell.
- https://technet.microsoft.com/en-us/library/ee617200.aspx –> Powershell to Enabled AD Account.
- https://technet.microsoft.com/en-us/library/ee617197.aspx –> Powershell to Disable AD Account.
Deleting AD User Accounts
- In Windows Server 2008 and earlier, deleted object is tombstoned. https://support.microsoft.com/en-us/kb/924890 –> More details on tombstoned
- In Windows Server 2008 R2 or Windows Server 2012 without the AD Recycle Bin enabled, the object is tombstoned.
- In Windows Server 2008 R2 or Windows Server 2012 with the AD Recycle Bin Enabled, the object goes into the AD Recycle Bin.
- Please note :- AD recycle feature once Enabled it cant be Disabled. It is Irreversible.
- A tombstoned object has most of the properties removed. It can be made live again, but the properties have to be recreated.
- An object in the Recycle bin is complete and can be restored with all properties intact.
- Period of tombstone is 60 days or 180 days depending on OS when AD was created. Also it can be modified upwards if required. Once Tombstone period is expired AD object is automatically removed by the system