>>>>> "david" == david <[email protected]> writes:
david> On Thu, 22 Oct 2009, John Stoffel wrote:
Edward> Never delete user accounts. Just disable them. For precisely
Edward> the reason mentioned - after a user account is deleted,
Edward> whether Windows or Linux fileshare, the system says "I don't
Edward> know who owns those files..."
>>
>> We don't delete them right away, but we do ask their manager to
>> cleanup and we will chown them to someone else as needed. Generally
>> the manager.
>>
>> Depending on the company, nuking accounts might be the only way to do
>> it. At a smaller shop, UIDs aren't a problem, but username conflicts
>> can and do crop up.
david> username conflicts are a problem anyway. when you look at logs
david> years later do you really want to have to remember that user
david> 'joe' means one person before July 2009 a different person as
david> of September 2009?
I agree, it's a tough problem. When I was a Lucent (bought out Ascend
where I was at the time) they had a single global namespace for their
usernames, and the policy was that 'handles' as they called them,
couldn't be re-used for two years after a person left.
While I bitched about it at first, with a little (tiny!) amount of
thinking on my part made me realize how great this simple polict was.
I think (it's been five years) that it was basically:
- all handles are between 3-16 characters in length
- HR picks them initially.
- User's can request a change to a new handle
- Handles shall be used as usernames on all computer systems
- No handle may be reused until two years have passed since it was
active
- Handles must be approved by HR/Mgmt, so that nothing "naughty" got
used.
It worked surprisingly well, esp with Unix limited to 60,000 unique
users on a system, having 130,000+ people in a company meant they had
to have a consistent overall system.
I personally think this scales down to even a small company. And
please, let's get away from those asinine first.last@ email
addresses. They just don't scale. But god knows why some CEOs
continue to insist on them, like my current job. Stupid.
John
_______________________________________________
Discuss mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
