Versions Compared

Version Old Version 16 New Version Current
Changes made by

Geoff Nelson

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel
panelIconIdatlassian-question_mark
panelIcon:question_mark:
panelIconText:question_mark:
bgColor#F4F5F7

What happens if they were a Department OU Owner?

At this time, no action is automatically taken to remove them as owners. Another Department OU Owner should remove them using the Department User Tools (📑 Documentation).

Audit reports are emailed to Department OU owners monthly. One of the items that appear in this audit is ineligible owners that should be removed.

...

...

Department (DEPT-) Active Directory Accounts

Panel
panelIconIdatlassian-question_mark
panelIcon:question_mark:
panelIconText:question_mark:
bgColor#F4F5F7

Are their departmental department user accounts disabled or deleted when they leave the University?

At this time, no Current:
No action is automatically taken on departmental department user accounts when the assignee leaves the University. Department OU Owners are responsible for disabling or deleting department user accounts when they are no longer needed.

Planned:
Yes, department user accounts (department accounts with the Administrative or Power User account type) are automatically disabled when the EID that claimed the account no longer has one of the Affiliations or Entitlements mentioned here that sets their Primary Group to Domain Users. Department OU Owners are responsible for deleting department user accounts when they are no longer needed.

Panel
panelIconIdatlassian-question_mark
panelIcon:question_mark:
panelIconText:question_mark:
bgColor#F4F5F7

Are department service accounts automatically disabled or deleted?

No, department service accounts (department accounts with the Service account type) are not automatically disabled or deleted. Department OU Owners are responsible for disabling or deleting departmental department service accounts when they are no longer needed. Department OU Owners are also responsible for keeping the assignees for each department service account up to date. This prevents scenarios such as unexpected access by former employees who leave the University and return as an employee in a different department or as a student.

Panel
panelIconIdatlassian-question_mark
panelIcon:question_mark:
panelIconText:question_mark:
bgColor#F4F5F7

How are departmental department accounts managed?

Department OU Owners and assignees can manage their departmental department accounts using the Department User Tools (📑 Documentation).

Panel
panelIconIdatlassian-question_mark
panelIcon:question_mark:
panelIconText:question_mark:
bgColor#F4F5F7

What about departmental department user accounts being used as service accounts?

Service accounts can be assigned to more than one person at a time (although they can only be claimed by one person at a time).
When an assignee has left the University, a Department OU Owner should remove them from the list of assignees of their service account(s), and another assignee should claim the account(s). This prevents them from having control over these service accounts if they ever do return to the University (a former employee in your department may later return as an employee in another department or a student)Any department user account being used as a service account should be converted to a department service account. This ensures a few key items:

  • Department service accounts are not automatically disabled

  • Department service accounts can be managed by multiple users

  • Department service accounts will remain exempt from any future password expiration policies

Department OU Owners can submit a request to the Active Directory team via Service Now to change a department user account to a department service account.