cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Audit inactive users

SOLVED
Bedrock

Audit inactive users

Is there a way to audit or automate via trigger a list of inactive users in the last 90 days?  What I mean by inactive is that the have not logged in to Integrity in 90+ days.  We are currently using MKS Integrity 2009 SP7 using the MKS Domain for security.  We will be upgrading to PTC Integrity 10 in the coming weeks.

I ask this because we are doing a security audit of our enterprise.  I know (correct me if I wrong, I'm not a Windows server guru) with Windows server you can set user accounts to be locked out or to expire after a given time of inactivity has passed.

Thanks

Dan

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Audit inactive users

You can, if you want your users to complain about slow performance. The PSM Server is a significant number-crunching aplication and has large resource requirements for CPU, RAM, and network I/O (see requirements in the Installation Guide). If you mean the same physical server racke but within its own virtual machine, that is perfectly fine as long as the resources are there to support both the Integrity and PSM VMs without competition.

As I mentioned the Collector could be installed on a Dev or Test Integrity staging server if you have the extra resources for it (Dev -> Test -> Prod).

10 REPLIES 10

Re: Audit inactive users

Hi Daniel,

Sounds like what you are looking for, is what is requested in enhancement RFC # 634693, "Set users inactive if they were not actively log-in into the system for specific period of time".  FYI, the RFC also speaks to tracking last log-in time, etc. 

But right now, to answer your question, no, you cannot do this with the MKSDomain in Integrity currently.

You can open a case with Support, to ask to be attached to the RFC (we track interested customers), but, I don't anticipate this feature being implemented anytime soon, due to some design considerations with the current MKSDomain.

Re: Audit inactive users

Hi Dan,

If you use PSM to monitor your Integrity server you can accomplish this in a couple steps. Since PSM monitors all activities on the server (including user logins) you can generate a list of usernames who *have* logged-in in the past 90 days and compare that against the list of all users in the mksdomain (aa users). The extra users in mksdomain not listed by the PSM data will be the ones you can set to inactive or remove from license groups.

For more details about PSM, see this page.

Re: Audit inactive users

Joe,

You make it sound so simple, until I opened the 122 page installation guide.  Could you show me the couple of steps?

Highlighted

Re: Audit inactive users

1) Within PSM, you can expand the left-side cockpit to show the Server - Logins business transactions.

PSM1.png

2) Double-clicking on it will bring up a new tab showing all login operations within the timeframe defined by the filter at the top (last 30 minutes by default). You can click the filter hyperlink and change it to the pre-set Last 90 Days timeframe. Take note that the Splittings column gives a list of the usernames.

PSM2.png

3) You can copy and paste that list directly into Excel.

4) Next, from the Integrity command line you get a listing of all users in mksdomain which can be redirected to a text file:

aa users > TextFile1.txt

This user list can be copied from that file into the same Excel spreadsheet side-by side and sorted. Once they are compared you can see the extra user accounts who did not appear in PSM. These are the users who have not logged into Integrity in the last 90 days and you can inactivate them.

Hopefully that makes things easier.

Re: Audit inactive users

I was refering to the Installation, not the usage.  We do not have it installed and I do not believe it will work on AIX.

Re: Audit inactive users

According to the compatibility matrix some parts of PSM can be installed on AIX. The Agent (the part that gets installed on the Integrity Server) and the Collector (the application which receives data sent by the Agent) are supported on AIX 6.1 SP1 and higher. The PSM Server and any Clients would need to be installed on Windows or some Red Hat variant of Linux.

Even if you could get PSM installed today it would not help you with the imminent audit since PSM would only start gathering data once it gets up and running. Going forward though, it would be very beneficial.

Re: Audit inactive users

Would this require an installation or cleint or service running on individual workstations?  I thought this was something I installed on the Integrity Server.

Re: Audit inactive users

The PSM Server needs its own hardware (physical or virtual).

The PSM Collector should be on its own hardware (physical or virtual, but could probably be installed alongside a lower tier staging server which is rarely used).

The PSM Agent is a small component that gets plugged into the Integrity Server JVM so requires no additional hardware.

The PSM Client is just like the Integrity Client and can be put on any workstation(s) you choose.

Hardware requirements for the PSM Server and Collector are detailed in the PSM Installation Guide.

Re: Audit inactive users

Can the server be installed on to the same server that Integrity resides on?