Delete orphaned Active Directory accounts

Table of Contents

When integrating the AD application into your new midPoint ecosystem, you found some AD accounts that are either leftovers of unknown purpose from the past or even obviously malicious attack attempts. You have marked some of them for later resolution, but you kept the obviously malicious one unmarked because it should be removed from Active Directory for security reasons.

What awaits you in this module

Previously, you have prepared but kept inactive a synchronization rule to delete orphaned accounts from the AD server. In this module, you will activate this rule and eradicate any unmatched accounts without marks.

You will, of course, simulate the effects of the change before activating the rule on production to see if it does not do anything destructive. You need to be extra careful with these rules that delete objects on remote systems because, if misconfigured, they can be irreversibly destructive.

In the future, when a similar "illegal" account without a counterpart in HRIS appears, midPoint will delete it during reconciliation. And any legitimate accounts that are not in HRIS will need to be protected with marks.

1. Prepare resource-side account deletion for testing

In link, you have created an AD synchronization rule called delete-unmatched-resource-object to delete unmatched accounts. You kept this rule in the Draft lifecycle state to avoid deleting legitimate accounts before you ensure their preservation by marking them accordingly.

Now that the marks are in place, you can safely activate the synchronization rule. First, put it to the Proposed lifecycle state to test it.

Follow this guide: Resource wizard: Object type synchronization

  1. In the AD resource synchronization rules, find the delete-unmatched-resource-object rule.

    • It is the Delete resource object reaction to the Unmatched situation

  2. Set its lifecycle state to Proposed.

List of target AD resource synchronization rules with the delete-unmatched-resource-object now in the Proposed state
Figure 1. List of target AD resource synchronization rules with the delete-unmatched-resource-object now in the Proposed state

2. Simulate behavior of the new configuration

You are now ready to simulate the behavior the updated configuration before you put it to production.

  1. Use the Reconcile AD - development simulation reconciliation task you have set up and used in link.

  2. Inspect the simulation results to see if the configuration behaves as expected.

If you changed nothing else on the resource or in midPoint in the meantime, only the unmatched & unmarked accounts you need to get rid of are affected. Verify the affected accounts are really the ones you want deleted.

Synchronization simulation results showing that one account would be deleted from the resource
Figure 2. Synchronization simulation results showing that one account would be deleted from the resource.

3. Delete unwanted accounts from Active Directory

Once tested and verified, activate the whole configuration on production.

  1. Switch the lifecycle state of the delete-unmatched-resource-object synchronization rule to Active.

  2. Run the Reconcile AD - real production reconciliation task you have set up and used in link.

After the task finishes, check the accounts on the AD resource in midPoint—the unmatched & unmarked accounts, such as the malicious cn=Secret Admin, are no longer in the list. You can also navigate to the training AD application user interface (i.e., the LDAP server) and check the results there because for the first time now, you are making changes to the data in the target application.

Next steps

With the unwanted accounts evicted from Active Directory, you are one step closer to the clean and secure IGA setup you are striving for. The next logical step is to enable data delivery to the target system which will then seamlessly lead you to automating your setup.

link

Was this page helpful?
YES NO
Thanks for your feedback