Finding and Deactivating Orphan Accounts - Hitachi ID Identity Manager
Hitachi ID Identity Manager can be used to find orphan and dormant accounts:
- The last login time and date can be extracted from each managed
system, for each user. Users who have not logged in recently
can be flagged as dormant accounts.
- Login ID reconciliation data can connect dormant accounts on
one system, to unmarked accounts on another system, which may
not track last login date.
- Login ID reconciliation data can be used to identify accounts that have no apparent owner -- i.e., they exist in the login ID inventory on a system, but no current user has attached the account to his or her own profile.
The lists of dormant and orphan accounts generated in this way are tentative and should not in general be automatically disabled. For example, apparently-dormant accounts may simply be infrequently used, while apparently-orphan accounts may simply not yet have been attached to their owner's profile.
Orphan and dormant account lists can and should be manually reviewed, to remove obvious errors. The resulting, sanitized lists should be resubmitted to Identity Manager first to batch-disable, and later to batch-delete.
The time interval between disabling and deleting orphan accounts gives the owners of those accounts time to notice the problem and complain, thereby causing their accounts to be reactivated.