Derelict Administrator Accounts: A Millennium Falcon Problem

Many sysadmins have the same attitude towards the networksthey manage that Han Solo has towards the Millennium Falcon. The cardinal rule is“if it is currently working, don’t mess with it.” That’s why Han Solo got angrywith Chewbacca for performing preventative maintenance in the Rebel Hangar onHoth. The ship was working and then Chewie started messing with it. Han knewthat pulling on any one thread could unravel the whole kit and caboodle.

There are a whole lot of loose threads that hang out about anetwork that it is tempting to tug on. One such thread that many administratorsare reluctant to pull on is “removing the user accounts of Sysadmins who nolonger work at the organization”.

When I’ve asked audiences at TechED whether they’ve seen activeaccounts for Systems Administrators that have moved on, I’d say that roughly80% of hands go up. The main reason that people are reluctant to do anythingabout these accounts is a fear that if they disable the account, something – ascript, a service, or something else in the entrails of the networkinfrastructure will break. Better to let sleeping dogs lie, to not pull on athread that may unravel more trouble than it is worth. While we know ourselvesnot to configure services and scripts to run using our own credentials, wedon’t trust the people that we work with to be so sensible.

It is the Millennium Falcon problem. Start working on thelanding gear and suddenly the Hyperdrive doesn’t work. We’ve all had a badexperience when maintaining a network where we have started doing some routinemaintenance on one thing, only to have something else that seems unrelated failspectacularly. And lets face it: Most sysadmins have enough fires to put outwithout worrying about pulling on threads that might start more.

So what can you do about the derelict accounts of formersysadmins?

Audit them. If a domain admin account is being used tosupport a script or service, it has to be logging on. You can run a query fromActive Directory Users and Computers to figure out which accounts haven’tlogged on recently. If you have someone who left more than a year ago but theiraccount isn’t on the list of accounts that haven’t logged on for more than 30days you’ve certainly got an issue that you should investigate. If the accountis on the list of accounts that haven’t logged on for more than 30 days, thenyou can be a little more confident that disabling the account, with a view toeventual deletion, is unlikely to break the hyperdrive.