I’m curious to hear how others handle the following:
Onboarding: easy: AD query, smart rules, and we have managed account.
Offboarding: When a managed account deleted from AD , the password can’t locate the user. Also, there doesn’t seem to be a smart rule capability to identify which accounts are in Password Safe and which are not, to help with automated cleanup and management.
How do you manage this process? Any tips or best practices would be appreciated!
In our environment, we move all accounts no longer needed to an OU for decommissioned accounts. This OU is not being scanned by BeyondTrust. We do this due to the number of contractors who are disabled when their contract expires. Many times this will happen when a contractor doesn’t get renewed in time but they do get renewed. It saves us the trouble of deleting their account only to recreate it again.
BeyondTrust cleans them up eventually. The oldest account in my deployment is August 4th. Since we are heavy on contractors, I know people have left before August 4th but there is no history showing that. And, since the account owner is no longer enabled in the portal, their AD account is gone, so they cannot log in to use their elevated rights or managed account. Because the account is moved to another OU that BeyondTrust does not have access to, the elevated rights accounts will become unmanaged when the smart rules run.
If you really want to get rid of them, you can use the RestAPI to delete them on a schedule but again, it doesn’t impact licensing, and it doesn’t pose a risk since the user and the associated elevated rights account are both no longer in the Active Directory.
