Question: How to expire/deactivate inactive user accounts?

Posted by Kellen on Sat 5 Mar 2005 at 00:15

Tags:

I have a machine which has a large number of users, many of whom are inactive. I would like to be able to identify and purge these users and their files. Is there a standard way to do this, and if so, what is it?

lastlog looks promising, but I have the added complication of users who check their email via IMAP (dovecot and imp3), and local users who have multiple accounts and just su to their other accounts. It seems like I could grep the auth and imap log files for this info, but this problem must have previously been solved more elegantly.

So:

  1. What is the standard way of expiring user accounts?
  2. Is there an integrated way to log su's and imap access? (a.k.a. "help me deal with my possibly strange setup")
Share/Save/Bookmark
Add Comment XML logo Printable version

 

<<< Question: Measuring/Monitoring Network Usage Monitoring network traffic with ngrep >>>

#1
Re: Question: How to expire/deactivate inactive us
Posted by Steve (82.41.xx.xx) on Sun 6 Mar 2005 at 13:30
[ Send Message | View Steve's Scratchpad | View Weblogs ]

The standard way of expiring accounts is to set an expiry date on the passwords - this would prevent them from logging in or using su to switch users.

However I'm not sure how the IMAP logins would work with that..

Usually expiration dates are setup when the accounts are created, but you can use the usermod command to set them up at any time you like.

The general way you'd run it is:

usermod -e 2005-03-10 username

But you can read all the details by running: 

man usermod

I'd wonder why you have so many accounts that you can't keep track of? Perhaps removing the accounts people are su'ing to? Or disabling all accounts and having people call you to see which ones are needed might work?

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

#2
Re: Question: How to expire/deactivate inactive us
Posted by hruske (193.2.xx.xx) on Sun 6 Mar 2005 at 18:34
[ Send Message ]
Here's a quick guide about password aging, it's not debian, but it's a hint. http://www.puschitz.com/SecuringLinux.shtml#EnablingPasswordAging

[ Parent | Reply to this comment ]

#3
Re: Question: How to expire/deactivate inactive us
Posted by Kellen (68.15.xx.xx) on Mon 7 Mar 2005 at 01:32
[ Send Message | View Weblogs ]
Let's just say I inherited a system where people had multiple accounts for their multiple emails (not the best system, I know). Perhaps a partial solution to this would be to separate out the IMAP-only users and have them be without local accounts at all... But I don't know how to do this either =/

[ Parent | Reply to this comment ]

#4
Re: Question: How to expire/deactivate inactive us
Posted by Steve (82.41.xx.xx) on Mon 7 Mar 2005 at 01:34
[ Send Message | View Steve's Scratchpad | View Weblogs ]

I guess one way to move forward would be to use the system's /etc/aliases file, or similar, to redirect mail to the correct users.

So instead of having two users bob and support you just have the bob user - and inside your /etc/aliases file you add:

support : bob

Once you run newaliases bob should now get all mail addressed to support.

(Depending on the mail server you're using this might be ignored - but if not it's a very simple solution which might allow you to cut down on your login accounts)

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

#5
Re: Question: How to expire/deactivate inactive us
Posted by Kellen (68.15.xx.xx) on Mon 7 Mar 2005 at 02:04
[ Send Message | View Weblogs ]
Yeah, I'm aware of aliases and use it in most circumstances. I'm not so worried about the users that have multiple accounts as the "dead" accounts, which still have valid passwords and shells. It seems I shall be grepping some archived mail.log files for "imap-login".

[ Parent | Reply to this comment ]

#6
Re: Question: How to expire/deactivate inactive us
Posted by Anonymous (213.164.xx.xx) on Mon 7 Mar 2005 at 13:05
Expiring an account won't prevent it being used.

Remember to check for:
cron jobs, mail spool entries, at jobs, ssh keys, etc.

[ Parent | Reply to this comment ]

#7
Re: Question: How to expire/deactivate inactive user accounts?
Posted by Anonymous (12.175.xx.xx) on Tue 29 May 2007 at 23:21
To disable inactive or "dormant" accounts, use the usermod -s command to set the user's default shell to /bin/false, /usr/bin/false, /sbin/false,
/sbin/nologin, or /dev/null.

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Quick Site Search