ITS to Disable Inactive Active Directory (UMROOT) Accounts Daily

ITS and the U-M security community share the important responsibility of securing U-M’s digital assets. Protecting credentials in accordance with the Access, Authorization, and Authentication Management (DS-22) standard is an essential component of that effort. ITS Identity and Access Management (IAM) is working to enhance the security of Active Directory (UMROOT)  over multiple phases. Each unit that uses the UMROOT environment will be engaged in order to implement changes and align their practices with new expectations.

The current step in this effort is to implement new daily, automated disabling procedures for inactive AD (UMROOT) accounts. 

  • Beginning October 9, 2024, on a daily basis – UMROOT accounts that have not been logged into for 90 days will be considered inactive and automatically disabled. 
  • Beginning November 8, 2024, on a daily basis – UMROOT accounts that are disabled and have not been logged into for 120 days will be deleted.

Note: Uniqname accounts in UMROOT will not be affected by these procedures.

IAM Support for Units

To facilitate units’ adjustment to the automated, daily disabling of inactive accounts, IAM is:

  • Sending email communications to those responsible for Active Directory (AD) account management beginning regarding the implementation of the new procedures.
  • Maintaining information on the Active Directory (UMROOT) Improvements page, including a link to key information, dates and instructions.
  • Holding Active Directory Office Hours to answer questions. Refer to the Active Directory (UMROOT) Improvements page for dates/times. 

If unit IT staff have questions or concerns, they can reach out to Kyle Cozad.