IT5.2.1  Account Management

Introduction

The College of Education and Human Ecology (EHE) maintains user accounts in Active Directory (AD).  User identities are synchronized with OCIO’s IDM identity vault. Student and employee accounts are automatically provisioned and disabled according to IDM rules and affiliations on their OSU account.  If a user is no longer affiliated with EHE, but should retain an account according to the identity vault, IDM will automatically remove all group memberships granting access to EHE resources at the date of affiliation change.

User accounts that are exempt from IDM rules will be reviewed annually.

It is the responsibility of the owner or sponsor of third-party applications that do not use EHE AD or OSU identity vault as an identity source to conduct annual account reviews.

Process

System administrators will provide the account coordinator a list of users annually that do not have an IDM managed attribute. Such accounts may include but are not limited to:

  • Sponsored Guests
  • Administrative Accounts
  • Non-EHE affiliated users
  • Service/System Accounts

Scripts to generate reports can be found in the EHEOITSysAdmin script code.osu.edu respository.

The account coordinator will review the list of user accounts to verify that the accounts have a valid purpose and should be allowed to access EHE resources.

The account coordinator will provide system administrators with a list of any non-valid accounts.

System administrators will disable all the specified user accounts according to standard procedures.

Additionally, the following accounts should be disabled:

  • Accounts that are expired and have not been renewed.
  • Stale accounts that have not been logged into for over a year.

Security Incidents

If suspicious activity on a user account is detected through event management, automated reports, or reported by a user, EHE OIT may take immediate action to disable the account.