Derelict Administrator Accounts: A Millennium Falcon Problem

Many sysadmins have the same attitude towards the networks they manage that Han Solo has towards the Millennium Falcon. The cardinal rule is “if it is currently working, don’t mess with it.” That’s why Han Solo got angry with Chewbacca for performing preventative maintenance in the Rebel Hangar on Hoth. The ship was working and then Chewie started messing with it. Han knew that pulling on any one thread could unravel the whole kit and caboodle.

There are a whole lot of loose threads that hang out about a network that it is tempting to tug on. One such thread that many administrators are reluctant to pull on is “removing the user accounts of Sysadmins who no longer work at the organization”.

When I’ve asked audiences at TechED whether they’ve seen active accounts for Systems Administrators that have moved on, I’d say that roughly 80% of hands go up. The main reason that people are reluctant to do anything about these accounts is a fear that if they disable the account, something – a script, a service, or something else in the entrails of the network infrastructure will break. Better to let sleeping dogs lie, to not pull on a thread that may unravel more trouble than it is worth. While we know ourselves not to configure services and scripts to run using our own credentials, we don’t trust the people that we work with to be so sensible.

It is the Millennium Falcon problem. Start working on the landing gear and suddenly the Hyperdrive doesn’t work. We’ve all had a bad experience when maintaining a network where we have started doing some routine maintenance on one thing, only to have something else that seems unrelated fail spectacularly. And lets face it: Most sysadmins have enough fires to put out without worrying about pulling on threads that might start more.

So what can you do about the derelict accounts of former sysadmins?

Audit them. If a domain admin account is being used to support a script or service, it has to be logging on. You can run a query from Active Directory Users and Computers to figure out which accounts haven’t logged on recently. If you have someone who left more than a year ago but their account isn’t on the list of accounts that haven’t logged on for more than 30 days you’ve certainly got an issue that you should investigate. If the account is on the list of accounts that haven’t logged on for more than 30 days, then you can be a little more confident that disabling the account, with a view to eventual deletion, is unlikely to break the hyperdrive.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish