We use EEPC 5.25. We have certain number of support users added to all endpoints. They have for ex: Roger2010 as default password. How do we remove the ability for a support user to login to an encrypted device with default password after say 60 days or so?. Can we use script? If so can anybody suggest how to go about doing this?
use the api command "showoldusers" then pipe that result into a move or delete user operation?
remember though, it's not whether the user has used "an" endpoint, it's whether the user has used ANY endpoint.
Yes, I will try the ShowOldUsers command. However what happens in the below scenario?
Jsmith and Jbaker - the two support users cached in Laptop-A are picked up by Autodomain and assigned to the Machine property. Whereas LaptopB has Jbaker alone. The AutoDomain script picks up Jbaker and adds to the respective machine property. Jbaker has not logged in Laptop-A for 62 days.
So, what you're saying is that if I run ShowOldUsers older than 60 days and delete it, the script will not only delete Jbaker on Laptop-A, but also from Laptop-B right?
Each user is distinct object but only one instance in EEM database. So user account shows activity REGARDLESS from which machine it comes from. Did you even look at user "Audit Log" in EEM, when user logs to multiple machines? If you did, then this behavior would be obvious.
So account would NOT be deleted from ANY machine, if it has been active for less than set number of days.
You actually can use the SBADMCL Changepassword option and set it to a different password.
So first show old users, than based on the output change those users passwords.
If you do it this way they will not be deleted from the database.