Summer/Fall 2010 [Number 247] Printable version (528KB PDF) Download Adobe Reader Please note that this issue of Interface is an archived issue. Therefore, the information contained in each article may no longer be current.
Annual Active Directory Account Review
On May 17, 2010, a new process was implemented at the request of the NIH Office of the Chief Information Officer for annual review and reauthorization of NIH Active Directory (AD) accounts.
The new AD Account Review process requires NIH Enterprise Directory (NED) Administrative Officer (AO) Sponsors to annually review AD user accounts authorized in the system and to determine on a case-by-case basis whether each NIH user still requires their AD account (and exchange mailbox if also authorized).
What is the purpose of this change?
The purpose of this new process is to ensure that each person with an active NIH AD account still has a need for the account, as dictated by their NIH job responsibilities. In some instances, this process may also help to eliminate active NED records for users who may have left NIH.
How does the process work?
Thirty days prior to the one-year anniversary of the AD account sponsor/reauthorization date, AO Sponsors will receive an automated email notification and be directed to the AD Account Review interface in NED. There will be a list of all staff included in the AO Sponsor's primary Special Agreement Check (SAC) coverage eligible for reauthorization, as well as an option to "Reauthorize" or "Deauthorize." If more than one account is up for renewal, the AO Sponsor will be able to reauthorize or deauthorize multiple accounts in one action by selecting the necessary checkboxes next to the staff members.
As an AO Sponsor, what are my responsibilities?
When an AO Sponsor receives an account renewal notification, they should make certain the user still has a need for the AD account (and exchange mailbox if also authorized). In some instances this may require contacting a Project Officer/Supervisor or the actual user themselves. No account deauthorization should be performed until it has been determined the user no longer requires the account.
The AO Sponsor should promptly reauthorize or deauthorize the AD account after making a determination as to whether the account is needed or not.
Is there a review period?
Yes, there is a 30-day review period for all AD account provisioning or deprovisioning requests.
What will happen if no action is taken?
If no action is taken by an AO Sponsor within the 30 day review period, NED will automatically de-provision/deauthorize the AD account, and it will be immediately disabled. After being disabled, the account will be deleted in 15 days in accordance with the NIH Lifecycle Policy.
What should I do if an account is accidentally deauthorized instead of reauthorized?
There is no "undo" feature within AD Account Review. In order to reauthorize accounts, you must use the NED Manage Services – Modify menu option to request an AD account (and Exchange mailbox if also needed). After the task has been approved and sponsored, you should ask the NIH IT Service Desk to enable the accounts.
What should I do if an account was reauthorized but now needs to be deauthorized?
If the NED record should remain active, you should deauthorize the accounts using the NED Manage Services – Modify menu option. If the whole NED record should be deactivated, then you should use the NED Create/Modify Record - Deactivate menu option.
Why don't I see the AD Account Review function?
The majority of NED users are not responsible for using AD Account Review. This function is only available to AOs who also have the Sponsorship role.
What are some tips if I don't see all accounts I need to reauthorize?
If you have questions or need assistance, please contact the NIH IT Service Desk online at http://itservicedesk.nih.gov/ or by phone at 301-496-4357, 301-496-8294 (TTY), or 866-319-4357 (toll free).
|Published by Center for Information Technology, National Institutes of Health|
NIH...Turning Discovery into Health