Information technology tools and resources at the UW
20131011: NETID user expiration and related changes
A service change is planned for the UWWI NETID domain service.
What and When:
Next week we will mark approximately 50,000 NETID user accounts as expired, to bring these accounts into closer alignment with their current UW NetID status. All 50,000 of these NETID user accounts no longer have a valid UW NetID.
What you need to do:
No impact is expected. All of these NETID user accounts no longer have an associated UW NetID. None of these accounts have logged in over the course of the past 20 months.
In early 2012, the NETID domain experienced a significant incident as an outcome of a change made in late 2011. As a workaround to that incident, we unexpired user accounts that were expired at that time. Reconciling which accounts actually should be expired has been outstanding work that until now hasn’t been prioritized.
The NETID domain service tries to align as closely with the UW NetID service as it can, but there are notable differences due to the technology constraints and business rules required. When a UW NetID loses its password, the NETID domain service doesn’t delete the user account, but instead marks the account as expired and resets the password to a long random string unknown to anyone. This is primarily to retain the objectSID in case access to resources via user account is needed again, but there are also auditing reasons to retain the objectSID.
There is other work scheduled later this quarter that will adjust our practices around UW NetIDs that lose their password (i.e. UW NetIDs that are no longer valid). This work will result in a couple changes.
- NETID users which go into this state will:
- be expired
- get random password
- get renamed cn/samAccountName values slightly to values that clearly indicate the user account is dead, but still retain the original UW NetID string
- be moved to a new OU set aside for “dead” NETID users
- be disabled
- have all optional attribute values removed
- Users which have been in this “dead” state for 7 years will be deleted
- Users which have been in this “dead” state, which are determined to be part of a transitory population, will be deleted after 1 year. An example of a transitory user would be an applicant.
We don’t plan on additionally announcing when that work happens, because that work is judged to be very low impact due to the fact that it doesn’t affect active users. However, we do think there is value in being transparent about the kinds of lifecycle practices we are employing.
Questions and Answers:
- I thought UW NetIDs were good for ever. Did something change?No, nothing changed. It’s just that amongst the large number of UW NetIDs there are always exceptions to the rule. There are several populations of UW NetIDs that can “lose” their UW NetID, where “lose” means the UW NetID still exists (i.e. can’t be issued to someone else) but the password is removed, and the associated accounts are no longer active. The populations that this can happen to include (but are not limited to):
- Former Applicants (i.e. students that applied but never enrolled)
- Former Shared UW NetIDs
- Former Clinicians
- Former Cascadia
- Former Admin UW NetIDs
Further questions about UW NetIDs and their lifecycle should be directed to the UW NetID service via firstname.lastname@example.org with “UW NetID lifecycle question” in the subject line.
- Why don’t you just delete the NETID user account tied to these dead UW NetIDs?
Because once we delete the user account, the objectSID is effectively gone. That objectSID is distributed to some unknown number of resource objects throughout the UW environment in access controls. If any part of the UW environment goes through an audit and has a resource which references that objectSID, they will be left baffled as to who *had* access to that resource. Unfortunately, this distributed nature of Windows access control is such that there is no easy way to “clean up” objectSIDs which are no longer meaningful.
- Why 7 years?
Because this is the longest regulatory period we are aware of where auditing logs need to be kept. If you are aware of a longer period, let us know.
- Why only 1 year for transitory users?
Two reasons: Because there are a lot of them. And it’s pretty unlikely that there are many resources they were granted access to which are significant in nature.
- Why are there so many NETID user accounts without an associated UW NetID?
Because the populations noted above have a lot of turnover and churn. Applicants in particular contribute quite a bit to the overall number. The NETID domain service is so far out of alignment because back in early 2012 as a workaround to a significant incident, we removed ~3 year’s worth of expirations. That’s where the 50k comes from, but additionally there are other expired NETID users (all the users which have expired in the past 20 months). So the total number after this work will be ~90k. That number will get cut down when we run the first 1 year deletion, but in general it will continue to grow.