Campus Active Directory - Disabled OU Account

This document outlines the criteria for OU accounts that are disabled within Campus Active Directory.

Overview

Department administrators are issued OU accounts to manage objects within their Organizational Unit. OU accounts are to be used strictly for administrative purposes and have full control over a department OU. These accounts are provisioned and managed by the Campus Active Directory team. To ensure best practices for privileged account management and reduce the attack surface within Campus Active Directory, OU accounts will be disabled automatically after certain criteria are met.

Disable Criteria

OU accounts that meet any controls below will be disabled:

  1. Individual is no longer with the organization
  2. In violation of Campus Responsible Use and UDS Data Access Policies
  3. At the request of a supervisor or manager
  4. OU account inactivity for 1 year
  5. OU account has never signed in after 1 month from creation by Campus AD team

Reactivation Process for Inactive Accounts

An OU account that has been disabled due to inactivity will need to be re-enabled by the Campus AD team. You may request reactivation by emailing activedirectory@doit.wisc.edu

Additional Resources

Campus Active Directory - Acceptable Use of Accounts: https://kb.wisc.edu/iam/30303

Campus IT Policies: https://it.wisc.edu/it-community/governance/information-technology-committee-itc/it-policies/



Keywords:
campus active directory organizational unit ou account privileged administrator inactivity disabled expired access security 
Doc ID:
144227
Owned by:
MST Support in Identity and Access Management
Created:
2024-10-31
Updated:
2024-11-13
Sites:
Identity and Access Management