Re: [lopsa-discuss] Handling files on a fileserver left by users who have resigned

Thu, 22 Oct 2009 13:32:56 -0700 

>>>>> "david" == david  <da...@lang.hm> writes:

david> On Thu, 22 Oct 2009, John Stoffel wrote:
Edward> Never delete user accounts.  Just disable them.  For precisely
Edward> the reason mentioned - after a user account is deleted,
Edward> whether Windows or Linux fileshare, the system says "I don't
Edward> know who owns those files..."
>> 
>> We don't delete them right away, but we do ask their manager to
>> cleanup and we will chown them to someone else as needed.  Generally
>> the manager.
>> 
>> Depending on the company, nuking accounts might be the only way to do
>> it.  At a smaller shop, UIDs aren't a problem, but username conflicts
>> can and do crop up.

david> username conflicts are a problem anyway. when you look at logs
david> years later do you really want to have to remember that user
david> 'joe' means one person before July 2009 a different person as
david> of September 2009?

I agree, it's a tough problem.  When I was a Lucent (bought out Ascend
where I was at the time) they had a single global namespace for their
usernames, and the policy was that 'handles' as they called them,
couldn't be re-used for two years after a person left.  

While I bitched about it at first, with a little (tiny!) amount of
thinking on my part made me realize how great this simple polict was.
I think (it's been five years) that it was basically:

  - all handles are between 3-16 characters in length
  - HR picks them initially.  
  - User's can request a change to a new handle
  - Handles shall be used as usernames on all computer systems
  - No handle may be reused until two years have passed since it was
    active
  - Handles must be approved by HR/Mgmt, so that nothing "naughty" got
    used.  

It worked surprisingly well, esp with Unix limited to 60,000 unique
users on a system, having 130,000+ people in a company meant they had
to have a consistent overall system.

I personally think this scales down to even a small company.  And
please, let's get away from those asinine first.last@ email
addresses.  They just don't scale.  But god knows why some CEOs
continue to insist on them, like my current job.  Stupid.

John
_______________________________________________
Discuss mailing list
Discuss@lopsa.org
http://lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to