Derelict Administrator Accounts: A Millennium Falcon Problem

Many sysadmins have the same attitude towards the networks they manage that Han Solo has towards the Millennium Falcon. The cardinal rule is “if it is currently working, don’t mess with it.” That’s why Han Solo got angry with Chewbacca for performing preventative maintenance in the Rebel Hangar on Hoth. The ship was working and then Chewie started messing with it. Han knew that pulling on any one thread could unravel the whole kit and caboodle.

There are a whole lot of loose threads that hang out about a network that it is tempting to tug on. One such thread that many administrators are reluctant to pull on is “removing the user accounts of Sysadmins who no longer work at the organization”.

When I’ve asked audiences at TechED whether they’ve seen active accounts for Systems Administrators that have moved on, I’d say that roughly 80% of hands go up. The main reason that people are reluctant to do anything about these accounts is a fear that if they disable the account, something – a script, a service, or something else in the entrails of the network infrastructure will break. Better to let sleeping dogs lie, to not pull on a thread that may unravel more trouble than it is worth. While we know ourselves not to configure services and scripts to run using our own credentials, we don’t trust the people that we work with to be so sensible.

It is the Millennium Falcon problem. Start working on the landing gear and suddenly the Hyperdrive doesn’t work. We’ve all had a bad experience when maintaining a network where we have started doing some routine maintenance on one thing, only to have something else that seems unrelated fail spectacularly. And lets face it: Most sysadmins have enough fires to put out without worrying about pulling on threads that might start more.

So what can you do about the derelict accounts of former sysadmins?

Audit them. If a domain admin account is being used to support a script or service, it has to be logging on. You can run a query from Active Directory Users and Computers to figure out which accounts haven’t logged on recently. If you have someone who left more than a year ago but their account isn’t on the list of accounts that haven’t logged on for more than 30 days you’ve certainly got an issue that you should investigate. If the account is on the list of accounts that haven’t logged on for more than 30 days, then you can be a little more confident that disabling the account, with a view to eventual deletion, is unlikely to break the hyperdrive.

Discuss this Blog Entry 2

on Jul 27, 2010
If there are, I can't think of any off the top of my head. Sometimes you'll get people configuring local accounts in odd ways, but that's a separate topic.
on Jul 26, 2010
Are there any scenarios where an account can be used in which it doesn't require a log on? I've been told this by other administrators but I can't remember their rational. If so, what scenarios are there and what can be done to determine if an account is being used in this manner (a different event, etc???)

Please or Register to post comments.

What's Hyperbole, Embellishment, and Systems Administration Blog?

IT pro Orin Thomas provides true tales, snafus, news, and urban legends for Microsoft Windows system administrators.

Contributors

Orin Thomas

Orin Thomas is a contributing editor for Windows IT Pro and a Windows Security MVP. He has authored or coauthored more than thirty books for Microsoft Press, founded the Melbourne System Center,...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×