Account Lifecycle Management

2 min read Infrastructure & DevOps Security

Account Lifecycle Management

Proper account lifecycle management ensures accounts remain secure throughout their existence, from creation through deactivation. This process encompasses account provisioning, regular reviews, modification procedures, and timely deactivation. Poor lifecycle management leads to orphaned accounts, excessive privileges accumulated over time, and unauthorized access through forgotten accounts.

Account provisioning should follow standardized procedures ensuring consistent security settings. In Windows, use PowerShell scripts or provisioning tools to create accounts with proper group memberships, home directories, and initial passwords. The following PowerShell example creates a user with specific properties:

New-ADUser -Name "John Smith" -SamAccountName "jsmith" -UserPrincipalName "[email protected]" -Path "OU=Users,DC=domain,DC=com" -AccountPassword (ConvertTo-SecureString "InitialP@ssw0rd!" -AsPlainText -Force) -Enabled $true -ChangePasswordAtLogon $true

Linux account provisioning uses useradd with appropriate options. Create accounts with specific UIDs, home directories, and shell assignments: useradd -m -u 1500 -s /bin/bash -c "John Smith" -e 2024-12-31 jsmith. The -e flag sets account expiration, ensuring automatic deactivation. Implement scripts automating account creation with consistent security settings, including proper file permissions and initial SSH key deployment.

Regular account reviews identify inactive accounts, inappropriate privileges, and policy violations. Schedule quarterly or semi-annual reviews depending on organization size and security requirements. Windows environments can use PowerShell to identify inactive accounts: Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 -UsersOnly. Linux systems require parsing last login information from /var/log/wtmp or using lastlog command. Document review results and remediation actions for compliance purposes.

Account deactivation must occur immediately upon employee termination or role changes. Implement automated deactivation workflows triggered by HR systems when possible. For Windows, disable accounts rather than deleting them initially, preserving audit trails: Disable-ADAccount -Identity "jsmith". Linux account locking uses usermod -L username to prevent login while maintaining account data. After appropriate retention periods, fully remove accounts and associated data following documented procedures.