Re: Remove user

Hoff · ‎01-14-2011

I have an acl_scrub tool posted at:

http://labs.hoffmanlabs.com/node/426

This tool can locate and optionally correct stale identifiers that can be left dangling on file system objects when users are deleted.

Here is a write-up on creating and deleting users:

http://labs.hoffmanlabs.com/node/856

with links to various procedures and tools.

John Gillings · ‎01-16-2011

I agree with Dan, don't delete the user, just DISUSER & NOACCESS the account and set the password to a random string.

I you must remove the UAF entry, I recommend using:

UAF> REMOVE/NOREMOVE user

This deletes the UAF entry, but leaves the UIC identifier intact. There are several reasons.

Primarily, you don't lose the textual name on security objects (owner fields, ACLs etc). It also makes it much easier to prevent reuse of the UIC.

For most systems there is sufficient keyspace in UICs to never have to reuse a UIC. Sure, you can use a scrubber, like the one referenced by Hoff, but not reusing the UIC is better assurance that a stale ACE won't ever be misused.

It may make sense to change the identifier string to make it obvious it's expired.

UAF> MODIFY/IDENT/NAME=DISUSER_SOMEUSER SOMEUSER

(although usernames are effectively limited to 12 characters, identifiers are allowed to be up to 31 characters)

A crucible of informative mistakes

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Remove user

Re: Remove user

Re: Remove user