At the end of an academic year, the whole fraction of students permanently leave a school or university system. Once these users graduate, IT administrators are left with a huge number of accounts that must be marked as inactive and then dealt with according to system policies. An automated solution can do this tedious job for you and automatically disable those accounts to avoid associated security issues.

1. White Paper: How to Automate Deactivation
of Graduates' User Accounts
Written by NetWrix Corporation
1

2. © Copyright NetWrix Corporation 2008. All rights reserved.
This guide contains proprietary information, which is protected by copyright. The software
described in this guide is furnished under a software license or nondisclosure agreement. This
software may be used or copied only in accordance with the terms of the applicable agreement. No
part of this guide may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying and recording for any purpose other than the purchaser's
personal use without the written permission of NetWrix Corporation.
WARRANTY
The information contained in this document is subject to change without notice. NetWrix
Corporation makes no warranty of any kind with respect to this information. NETWRIX
SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. NetWrix Corporation shall not be liable for
any direct, indirect, incidental, consequential, or other damage alleged in connection with the
furnishing or use of this information.
TRADEMARKS
All trademarks and registered trademarks used in this guide are property of their respective
owners.
Web: http://www.netwrix.com
Phone: +1.888.NETWRIX (888.638.9749)
Address: 140 E. Ridgewood Ave
Suite 415 South Tower
Paramus, NJ 07652
2

3. How to Automate Deactivation of Graduates' User Accounts
The problem
Providing well-administrated IT services to a student body can be a challenge. Unlike other IT
environments, a large influx and outflux of users occurs at points in time tied to the academic calendar. At
the end of an academic year, many thousands of students may permanently leave a school or university
system. Once these users graduate, discontinue their education, or perhaps simply move away, IT
administrators are left with a huge number of accounts that must be marked as inactive and then dealt with
according to system policies.
Sound administration and security practices demand that this cumbersome housekeeping be done quickly
and efficiently - yet in the complex distributed networking environments in today's educational systems,
this is easier said than done. A typical university infrastructure is a Windows environment running Active
Directory to manage user data, security and distributed resources. However, identifying unused accounts,
marking them inactive and disabling or deleting them is not an automated process out of the box. Though
these individual functions can be done within Active Directory, a significant investment in admin time is
needed to do so when dealing with many thousands of users.
The solution
An automated solution to this problem should take advantage of the Active Directory functionality in a
manner that streamlines and simplies the process for the sys admin. It should check all user accounts in
specied domains at an interval set by the administrator, and automatically disable those accounts. In
addition, this utility should address the issue of differing lastLogon data in a system: this attribute
represents the last time a user was authenticated by a specic Domain Controller, but AD does not replicate
this value. As a result, the lastLogon value will be different on each DC. A well-designed admin utility will
query all DCs in the domain and use the most recent logon time, also called the "true last logon", thus
ensuring that the most current and correct parameters are used in determining whether or not an account is
truly inactive.
Implementation: NetWrix Inactive Users Tracker
The Inactive Users Tracker utility from NetWrix meets these criteria. It is a simple, effective tool for
educational IT administrators who need a cost-effective, time-saving way to deal with a multitude of
periodically or permanently inactive users. A freeware version is available that identities inactive accounts
in the intelligent manner outlined above; using this, administrators can then manually disable or delete the
identified accounts. The commercial version of Inactive Users Tracker allows the admin to automatically
disable user accounts, customize emails alerts and messages, and comes with technical support. The free
download of Inactive Users Tracker offers a demonstration of the exceptional value of this utility in
educational IT administration.
3

4. About NetWrix Corporation
Established in 2006, NetWrix Corporation provides innovative and cost-effective solutions
that simplify and automate the management of Windows networks. With in-depth
knowledge and experience managing Windows environments of all sizes, the company
delivers solutions to meet complicated business requirements while fulfilling the best
expectations of IT professionals.
Contacting NetWrix
Toll-free Phone: 888.638.9749
Web site: www.netwrix.com
Address: 140 E. Ridgewood Ave
Suite 415 South Tower
Paramus, NJ 07652
Contacting NetWrix Support
Technical support is available to customers who have a trial version of a NetWrix product or
who have purchased a commercial version and have a valid maintenance contract. Contact
NetWrix Support at http://www.netwrix.com/support.
4