Toine,
Strange. ITRC seems to have not caught my earlier post.
I recommend extreme caution. There are several issues here, some of which Hoff has mentioned in his earlier post.
First, "disabled and and not used for 180 days" is a true statement for an account that is disabled after 180 days the moment it is disabled. Unless there is an unmentioned part of the protocol, this means that a dormant account will be automatically deleted at 180 days.
Second, safely deleting something is more than merely deleting the account. One should ensure that the UIC is not available for re-use, to avoid inadvertently granting access to resources based on stale access control elements. Additionally, what happens to the files directly in that directory tree? What are their preservation requirements?
What about accounts that are only used at certain times of year (e.g., year end) and may be disabled in the interim to avoid accidents? One must carefully walk through all of the possibilities.
If I were faced with this request, I would make sure that I had some written documentation of the implications, and a signature from management taking responsibility for this implementation.
If I were implementing something, I would integrate into a report/auditing mechanism that did a SHOW/FULL of the UAF entry, and archived the account profile and the directory contents to an archive medium. I would automatically invoke AUTHORIZE from a DCL script (as I have done many times) or using SPAWN.
If this is a financial or other organization subject to compliance issues, I would check with BOTH Human Resources and Compliance as to their other requirements.
- Bob Gezelter,
http://www.rlgsc.com
