I’m exploring ways to disable AD accounts for non-human accounts that haven’t logged in during the last 90 days.
As mentioned, the plan is to perform the account disable operation by adding a disable account policy in the provisioning policies for AD. However, I’d like to confirm if we can use the lastLogonTimestamp attribute to identify non-human accounts that haven’t logged in for the past 90 days.
Has anyone implemented a similar process or have insights on best practices for this use case? Any guidance would be appreciated!
You can use disable account provision policy if you need to update any attribute request. However, in your case, you just need to create a plan with AccountRequest and specify op as disable., this can be done in your own workflow
The client does not want to have a scheduled task to incorporate the disable AD account based on 90daysInactivity.
Solution:
i. Create AD application with filters to aggregate only the Service Account.
ii. Define Correlation rule to map it to the right owner.
iii. Define an extended Identity Attribute which will contain all the Admin accounts an identity owns and another extended Identity Attribute to keep the status of these Admin accounts in Key-Value pairs. Ex: aman-adm:disabled90dayPolicy, aman-sdm:active)
iv. Now a run rule task will capture these two identity attributes and trigger a Workflow this rule also sends an email to the IAM OPS team about the number of service accounts which were processed with an attachment.
v. This workflow now calculates what needs to be done based on the lastLogonTimeStamp either disable or enable them or do nothing.
vi. Once these items are performed audit events are placed to capture why and when these disable and or enable operations were performed.
