Active Directory Auditing - Inactive User Check

The inactive user check looks for users who are not employed, but are still in AD groups.

Definition

A user is considered "Active" if they fall into one or more of the categories below:
  • Full-time staff members
  • Finance and Administrative Affairs employees (b02xxxx)
  • Student Affairs employees (b03xxxx)
  • Enrollment Management employees (b04xxxx)
  • AD Service Accounts (-s)
Any other user is considered "Inactive", and will appear on inactive notification emails.

Configuration

Each area has a group under ad.uwm.edu/SA/Groups/Security/Enterprise/ADAudit . This group contains the users who will get email alerts, and the XML configuration for the area.

The XML configuration has a few different nodes:
  • DisplayName (Required): The display name of the department that goes out in all the emails
  • ChangeTracker: Setting this to "Enabled" enables group membership change notifications for the areas groups
  • ListGroupMembership: Setting this to "Enabled" shows what AD groups the inactive user(s) are a member of in the email
  • BypassGroup: Name of the group that contains users that are inactive, but should not show up on the email report
  • GroupOfGroups: Name of the group that contains other groups to be checked
  • RecursiveOU: DN of an OU to scan recursively
Here's an example XML configuration:

<?xml version="1.0"?>
<ADAudit>
  <DisplayName>SAITS Enterprise</DisplayName>
  <ChangeTracker>Enabled</ChangeTracker>
  <ListGroupMembership>Enabled</ListGroupMembership>
  <BypassGroup>SA-ADAudit-Enterprise-Bypass</BypassGroup>
  <GroupOfGroups>SA-ADAudit-Enterprise-Groups</GroupOfGroups>
  <RecursiveOU>OU=Enterprise,OU=Security,OU=Groups,OU=SA,DC=ad,DC=uwm,DC=edu</RecursiveOU>
</ADAudit>

Admin Accounts

Admin account status is checked by removing the "-a" or "-a2" from the username, and checking the standard ePantherID of the user. In the event the user is determined to be inactive, it will appear in the report like this:
Inactive admin account example



Keywords:auditing, security, inactive, user, check, active, directory, employment   Doc ID:83426
Owner:Help Desk K.Group:UW-Milwaukee Help Desk
Created:2018-07-06 10:25 CSTUpdated:2019-01-02 14:36 CST
Sites:UW-Milwaukee Help Desk, UW-Milwaukee Student Affairs IT
Feedback:  1   0