HR Pulse




Menu Style


Automating User Account Management is Not without Its Benefits

Robert Doswell

One of the issues that frequently arise, especially in larger organization, is the need to provide contractors, consultants and temporary employees with access to network resources, systems, cloud data and even email systems. The concept of automating the lifecycle by integrating with a Human Resource system breaks down because these types of employees are rarely entered there.

The problem can be solved automatically by implementing a web-based workflow. Sounds more difficult than it is, but the essentially, the process works like this: The hiring manager accesses an internal web page and completes the relevant information: name of employee, department, type of employee, expected length of service, etc. Thus, that part of the process is done.

Once the form is submitted, it’s routed to the IT or helpdesk for review and the information therein is processed automatically whereupon an email is automatically returned to the hiring manager containing the username, email address and initial password for the user, the said contractor, consultant or temp employee.

The key to keeping Active Directory clean is the expected length of service for the employee. As that service date approaches, a notification can be delivered to the manager asking if the date for the person’s employment status should be extended. If yes, the manager clicks on a link in the email and can enter a new end date. If no, the process automatically disables the user on the last day of service. A manager can also be given an option to disable or terminate immediately if the person has already left the organization.

Additionally, after sitting in a disabled status for a period of 60 to 90 days, the record can automatically be purged from AD, which is a really nifty feature for helping keep AD clean. So, implementing a process like this not only saves time, but potential licensing costs and increases security, all while making life easier for the IT department.

Track all inactive Active Directory user accounts and inactive computer accounts

In addition to keeping Active Directory clean, through the approach listed above, there are solutions that allow administrators the ability to keep it free of inactive users and computer accounts. Once implemented, the “tracing” systems track inactive users and computer accounts inside the Active Directory environment based on the last logon date. After scanning all domain controllers in the network, the software offers administrators the ability to disable or enable selected inactive accounts or migrate them to another organizational unit. Plus, with a single click of a mouse, users can select computers and components in Active Directory and run a scan, if they choose to do so manually.

Trace inactive user and inactive computer accounts

When a new employee enters service, the organization’s IT or HR leaders need to create a user account that grants the new worker access to the company network. In some cases (many cases, actually), requests are submitted too late or contain incomplete information, requiring user account changes, oftentimes after the employee’s initial service date. Communication and modification must then occur until the correct user account information is available and the employee is able to perform his or her duties. When an employee leaves the company, the IT department is often not notified in a timely fashion, if at all, and access to systems stays “open.”

Because the IT department, and in some cases, HR, is not notified, the user account remains active, with all the possible consequences associated with allowing full access to organization systems. For example, the former employee will potentially continue to have remote access to the organization’s critical network assets.

By employing automated solutions to clean and track user accounts, IT departments can easily trace inactive accounts and disable them with a simple mouse click to prevent unauthorized network access. Additionally, maintaining and “managing” inactive accounts can lead to an overwhelming impact on an organization’s data storage costs. The more data stored, the more the organization must spend bearing the costs of the information that could have long been purged from the organization’s systems. Thus, the more inactive accounts not purged means higher costs to the organization because they must store the data.

By automating the account management and purging process and keeping the roles and access rights of an organization “clean” means there’s less of a chance of a breach because of unchecked access rights and, in the very least, reducing information stored – in this case, user accounts -- means the company will save money in the long term.

Robert Doswell is managing director of Tools4ever UK, a global supplier of identity and access management solutions.