j-j.co.za

Around a year ago we implemented our policy whereby all contractor accounts must have an expiry date. We had a large number of contractors in the organisation, and while our “leavers” process was working reasonably well for permanent employees its wasn’t so great for contractors. In the third quarter of last year the first of these started expiring. This caused some unexpected problems.

Firstly, Windows / Active directory did not warn the users or any administrators about the pending expiry of the accounts. Unlike password expiry, account expiry just happens. We implemented a script to send an email warning to all users who have accounts that are going to expire so that if their contract has been extended they can get the expiry shifted out ahead of the expiry date and prevent a deluge of calls to the service desk all on the same day. Robert Martin has a nice writeup on this on his blog with sample script code to do this on a regular basis and send summary mails of all accounts about the expire.

Secondly, expired accounts still have some “rights”. What? Some users were still able to perform functions after their accounts expired. If they logged into their laptop while connected to the network it would give an account expired error and prevent login, but, disconnecting the workstation from the network allowed a local login.  Once logged in, connecting to the network would allow email to be sent and received through exchange for a period (anything up to 48 hours or beyond). Further, they could still replicate mail to their iPads via ActiveSync, and continue to use their Blackberries as per normal. This was somewhat of a surprise and needs further investigation.

Read the rest of this entry »