Marcus
@GossiTheDog I wonder if AD supports importing data from an exported list. It's been years, but the last time I ran a Windows domain the AD mmc would let you export all sorts of data to a plain text tile. I actually used this in conjunction with a python script I wrote once to ping every computer object in our OU on a schedule so I could look for patterns over time and remove stale objects from the previous admins.
Anyway, I wonder if you could export and import user account stuff this way.
Derek Robson
@GossiTheDog some years ago in an org of 10k users, I pull a list of accounts that has not logged in for a year.
I sent the list to HR and said I don’t think these people work here any more.
They came back in 5 minutes and confirmed they all work here. Because they have an AD account and email address in the GAL.
RossDCurrie
@GossiTheDog Are you going to laugh at me if I ask what IAM system you were running?
Like, afaik MIM Sync is free with a Windows license now.
And... that's what it does. Hook up HR on one side, hook up AD on the other, throw some rules in and push "go".
You find out pretty quickly when people have the wrong name or no contract in HR because it gets sycned everywhere.
if HR.ActiveEmployee == False
AD.Disable()
Any basic Identity & Access system will do
RossDCurrie
@GossiTheDog "Why is the domain admin acccount disabled?
"Is it in HR?"
I mean, business rules and politics and stuff, and 90% of identity projects fail.
But seriously, MIM or not, no account security automation? How many users are we talking?
I finally signed up to mastadon because friend linked me your post because he was like "this sounds like your mim projects' and I was a bit boggled that people are talking about importing to AD using python from an HR dump.
I have questions.
RossDCurrie
@GossiTheDog I've heard people tell stories of this, but I thought they were making it up!
I mean, I guess I've done greenfield sites before, but even then they've usually got 'something' in place.
No, I don't believe it. You're making this up. It would invalidate their cyber insurance if they didn't have a process to automatically disable accounts for terrminated employees!
RossDCurrie
@GossiTheDog That's gonna fail some audits.
What size org are we talking btw? Like, <1000 employees, I get it. Over that, and your IT guys are just creating/terminating accounts fulltime
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.