Question: How to expire/deactivate inactive user accounts?
Posted by Kellen on Sat 5 Mar 2005 at 00:15
I have a machine which has a large number of users, many of whom are inactive. I would like to be able to identify and purge these users and their files. Is there a standard way to do this, and if so, what is it?
lastlog looks promising, but I have the added complication of users who check their email via IMAP (dovecot and imp3), and local users who have multiple accounts and just su to their other accounts. It seems like I could grep the auth and imap log files for this info, but this problem must have previously been solved more elegantly.
So:
- What is the standard way of expiring user accounts?
- Is there an integrated way to log su's and imap access? (a.k.a. "help me deal with my possibly strange setup")
[ Send Message | View Steve's Scratchpad | View Weblogs ]
The standard way of expiring accounts is to set an expiry date on the passwords - this would prevent them from logging in or using su to switch users.
However I'm not sure how the IMAP logins would work with that..
Usually expiration dates are setup when the accounts are created, but you can use the usermod command to set them up at any time you like.
The general way you'd run it is:
usermod -e 2005-03-10 username
But you can read all the details by running:
man usermod
I'd wonder why you have so many accounts that you can't keep track of? Perhaps removing the accounts people are su'ing to? Or disabling all accounts and having people call you to see which ones are needed might work?
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
I guess one way to move forward would be to use the system's /etc/aliases file, or similar, to redirect mail to the correct users.
So instead of having two users bob and support you just have the bob user - and inside your /etc/aliases file you add:
support : bob
Once you run newaliases bob should now get all mail addressed to support.
(Depending on the mail server you're using this might be ignored - but if not it's a very simple solution which might allow you to cut down on your login accounts)
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Remember to check for:
cron jobs, mail spool entries, at jobs, ssh keys, etc.
[ Parent | Reply to this comment ]
/sbin/nologin, or /dev/null.
[ Parent | Reply to this comment ]