1-Visitor

Solved

Audit inactive users

Forum|Forum|10 years ago
July 24, 2015
2 replies
5122 views

Is there a way to audit or automate via trigger a list of inactive users in the last 90 days? What I mean by inactive is that the have not logged in to Integrity in 90+ days. We are currently using MKS Integrity 2009 SP7 using the MKS Domain for security. We will be upgrading to PTC Integrity 10 in the coming weeks.

I ask this because we are doing a security audit of our enterprise. I know (correct me if I wrong, I'm not a Windows server guru) with Windows server you can set user accounts to be locked out or to expire after a given time of inactivity has passed.

Thanks

Dan

Best answer by JoeBartlett

You can, if you want your users to complain about slow performance. The PSM Server is a significant number-crunching aplication and has large resource requirements for CPU, RAM, and network I/O (see requirements in the Installation Guide). If you mean the same physical server racke but within its own virtual machine, that is perfectly fine as long as the resources are there to support both the Integrity and PSM VMs without competition.

As I mentioned the Collector could be installed on a Dev or Test Integrity staging server if you have the extra resources for it (Dev -> Test -> Prod).

M

MichaelChatel

5-Regular Member

Hi Daniel,

Sounds like what you are looking for, is what is requested in enhancement RFC # 634693, "Set users inactive if they were not actively log-in into the system for specific period of time". FYI, the RFC also speaks to tracking last log-in time, etc.

But right now, to answer your question, no, you cannot do this with the MKSDomain in Integrity currently.

You can open a case with Support, to ask to be attached to the RFC (we track interested customers), but, I don't anticipate this feature being implemented anytime soon, due to some design considerations with the current MKSDomain.

J

JoeBartlett

21-Topaz I

Hi Dan,

If you use PSM to monitor your Integrity server you can accomplish this in a couple steps. Since PSM monitors all activities on the server (including user logins) you can generate a list of usernames who *have* logged-in in the past 90 days and compare that against the list of all users in the mksdomain (aa users). The extra users in mksdomain not listed by the PSM data will be the ones you can set to inactive or remove from license groups.

For more details about PSM, see this page.

D

DanR.

Author

1-Visitor

Joe,

You make it sound so simple, until I opened the 122 page installation guide. Could you show me the couple of steps?

J

JoeBartlett

21-Topaz I

1) Within PSM, you can expand the left-side cockpit to show the Server - Logins business transactions.

2) Double-clicking on it will bring up a new tab showing all login operations within the timeframe defined by the filter at the top (last 30 minutes by default). You can click the filter hyperlink and change it to the pre-set Last 90 Days timeframe. Take note that the Splittings column gives a list of the usernames.

3) You can copy and paste that list directly into Excel.

4) Next, from the Integrity command line you get a listing of all users in mksdomain which can be redirected to a text file:

aa users > TextFile1.txt

This user list can be copied from that file into the same Excel spreadsheet side-by side and sorted. Once they are compared you can see the extra user accounts who did not appear in PSM. These are the users who have not logged into Integrity in the last 90 days and you can inactivate them.

Hopefully that makes things easier.

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded