Conversation

Notices

1. Embed this notice
   Marcus Adams (gerowen@mastodon.social)'s status on Friday, 13-Sep-2024 08:08:07 JST Marcus Adams

   • Kevin Beaumont

   @GossiTheDog I wonder if AD supports importing data from an exported list. It's been years, but the last time I ran a Windows domain the AD mmc would let you export all sorts of data to a plain text tile. I actually used this in conjunction with a python script I wrote once to ping every computer object in our OU on a schedule so I could look for patterns over time and remove stale objects from the previous admins.

   Anyway, I wonder if you could export and import user account stuff this way.

   • Embed this notice
     Derek Robson (robsonde@mastodon.social)'s status on Friday, 13-Sep-2024 09:06:42 JST Derek Robson

     • Kevin Beaumont

     @GossiTheDog some years ago in an org of 10k users, I pull a list of accounts that has not logged in for a year.
     I sent the list to HR and said I don’t think these people work here any more.

     They came back in 5 minutes and confirmed they all work here. Because they have an AD account and email address in the GAL.

   • Embed this notice
     RossDCurrie (rossdcurrie@cyberplace.social)'s status on Friday, 13-Sep-2024 19:11:43 JST RossDCurrie

     • Kevin Beaumont

     @GossiTheDog Are you going to laugh at me if I ask what IAM system you were running?

     Like, afaik MIM Sync is free with a Windows license now.

     And... that's what it does. Hook up HR on one side, hook up AD on the other, throw some rules in and push "go".

     You find out pretty quickly when people have the wrong name or no contract in HR because it gets sycned everywhere.

     if HR.ActiveEmployee == False
     AD.Disable()

     Any basic Identity & Access system will do

   • Embed this notice
     RossDCurrie (rossdcurrie@cyberplace.social)'s status on Friday, 13-Sep-2024 19:20:44 JST RossDCurrie

     • Kevin Beaumont

     @GossiTheDog "Why is the domain admin acccount disabled?
     "Is it in HR?"

     I mean, business rules and politics and stuff, and 90% of identity projects fail.

     But seriously, MIM or not, no account security automation? How many users are we talking?

     I finally signed up to mastadon because friend linked me your post because he was like "this sounds like your mim projects' and I was a bit boggled that people are talking about importing to AD using python from an HR dump.

     I have questions.

   • Embed this notice
     RossDCurrie (rossdcurrie@cyberplace.social)'s status on Friday, 13-Sep-2024 19:33:35 JST RossDCurrie

     • Kevin Beaumont

     @GossiTheDog I've heard people tell stories of this, but I thought they were making it up!

     I mean, I guess I've done greenfield sites before, but even then they've usually got 'something' in place.

     No, I don't believe it. You're making this up. It would invalidate their cyber insurance if they didn't have a process to automatically disable accounts for terrminated employees!

   • Embed this notice
     RossDCurrie (rossdcurrie@cyberplace.social)'s status on Saturday, 14-Sep-2024 11:18:40 JST RossDCurrie

     • Kevin Beaumont

     @GossiTheDog That's gonna fail some audits.

     What size org are we talking btw? Like, <1000 employees, I get it. Over that, and your IT guys are just creating/terminating accounts fulltime