offboared user

HI ​@maulik shah,

The following article may be a help:

How to clean up offline or decommissioned assets

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0020560

In our environment, we move all accounts no longer needed to an OU for decommissioned accounts. This OU is not being scanned by BeyondTrust. We do this due to the number of contractors who are disabled when their contract expires. Many times this will happen when a contractor doesn’t get renewed in time but they do get renewed. It saves us the trouble of deleting their account only to recreate it again.

BeyondTrust cleans them up eventually. The oldest account in my deployment is August 4th. Since we are heavy on contractors, I know people have left before August 4th but there is no history showing that. And, since the account owner is no longer enabled in the portal, their AD account is gone, so they cannot log in to use their elevated rights or managed account. Because the account is moved to another OU that BeyondTrust does not have access to, the elevated rights accounts will become unmanaged when the smart rules run.

If you really want to get rid of them, you can use the RestAPI to delete them on a schedule but again, it doesn’t impact licensing, and it doesn’t pose a risk since the user and the associated elevated rights account are both no longer in the Active Directory.

hello ​@rhagerm 

your post says “BeyondTrust cleans them up eventually..” how exactly does this happen?

it has been my experience that the Managed account has to be deleted manually or through an API script. 

our organization disables the elevated account and deletes them after 30 days. I have a directory query that pulls the disabled accounts and a smart rule that assigns the disabled attribute to these managed accounts. then I use an API script to delete the Managed accounts with the disabled attribute. 

I am curios as to how “BeyondTrust cleans them up eventually.”

If I understand it correctly, BeyondTrust keeps the accounts for 90 days before it deletes them.

It does this to maintain reporting and password/usage history. Once 90 days elapses, BeyondTrust will delete the accounts when the smart rule runs and the account is no longer in the smart rule.

​@rhagerm 

Your are misinformed there is no automatic purging of Managed Accounts. once they are onboarded they exist till deleted manually or by API script. the 90 days is only for purging assets if that is enabled and it is different for cloud vs on prem

That may be and I’ll test that, I have no deleted accounts in BeyondTrust beyond 90 days and I do nothing to manually delete them. Something not me is cleaning them up. 

I’ll run some tests and see what I can, again, in my reply, the first line explains it all, “If I’m not mistaken” may have been mistaken on what is actually cleaning them up. 

The  original count of users in the first screenshot I posted was 6 accounts that failed password rotation. Today, I have 2 so something is cleaning them up. What is actually doing it, I have my thoughts but that’s just me. I do know it is not anything we do to delete them, they just get deleted. 

That being said, another speculation here. When you leave the company, we disable all your accounts and move them to a Terminated OU. That OU is not scanned by BeyondTrust so for all intents and purposes, the account is gone. The account will sit in the Terminated OU for 30 days before it is permanently deleted. This does not explain the 90 day waiting period we are seeing but is the only thing that deletes these accounts from AD. 

As far as the automation though, these accounts are deleted from BeyondTrust by BeyondTrust within the 90 day window. This is important to note because the deleted accounts, some of those where last changed in October so I’m not sure what is cleaning them up, only that they are getting cleaned up.

Being that I’m the only vault administrator, I would know if any code was doing it and I’ve not written any cleanup code.

Hi , Thanks for your input but kb only suggests manual work and i al looking via some sort of smart rule to disable at least its management so once this manages account gone from AD i do not want to see any notification about them. 

Hi Frank, 

This i what i was thinking to perform but cannot locate disabled attribute, can you share your smart rule logic. may be a screenshot?

Regards,

Maulik

​@maulik shah Sorry for the delay I have been seriously ill the past week.

in a nutshell you will need to do create a custom attributes keep in mind these steps may be different depending on your version, I am on 23.3. 

How to Configure Custom Attributes

1. Access Configuration/Define Attributes

   • Log in to BeyondInsight (the management console for Password Safe).
   • Navigate to Configuration → General → Attributes. Here you have some
   • predefined attributes that you can utilize, modify or just create your own.
     • if you click the + you can see the sub attributes. At any point you can add choose to “Add new Attribute” or at the top you can “Add New Attribute Type”, you can nest these as far as you like but that may affect what is viewable on the advanced details.

2. Automation

   • Use Smart Rules to apply policies based on custom attributes (e.g., assign accounts to specific values)

I do not think this will help in your original post for user accounts.

I utilize directory queries with Advanced filters as criteria to onboard my Privileged accounts. My filter either chooses based on group membership and/or AD container and it ignores disabled accounts. once an account no longer satisfies the selection criteria it essentially has only the built in smart rules that it is a member of. it has been my experience that nothing automatically removes these Managed accounts so they would require manual removal. This is not a huge issue if your turn over is not too great, if it is then an API script needs to be written to remove them. that is where I use an attribute which the script would select the account and delete it.

This is a very advanced feature which I would recommend bringing in a consultant or someone from BT professional services. 

I hope this helps