SNTT: Finding expired Users
Bookmark :
I note with some degree of shame that I've not done a Show and Tell for a while. Now, as I've been doing lots of infrastructure audits recently, I thought I'd pass on this particular tip.
From Notes 6 client onwards (Surely your not still running Notes 5?), every time the user authenticates, the client will occasionally send in an AdminP request to update the person document. So far, so good. This maintains a list of last logins on the person document and shows:
- Last login date
- Last login Notes version
- The machine name they logged in from
Cool. Now one big issue I see time and time again is that sites rarely have a decent "leavers" process. When someone leaves a firm, the HR department usually conducts a leavers interview, stops their pay (This doesnt often happen - I recall a chap in Holland who came into work for a year after his team was laid off, and only surfaced when his ID badge stopped working!), removes their laptop and contacts IT to have their user accounts cancelled.
Well, sometimes the user ID is kept on for a few weeks, usually for someone to review eMails, etc. And then it gets forgotten about. And its *difficult* to find people, unless you look at each person document. Which is tedious.. So why not build a view in the directory, filtered by Form Type equals "Person", where the first column is sorted (descending) on:
@Max(ClntDate). As the "ClntDate" field is a multi-value date/time field, the @Max finds the latest login (these are stored as big numbers internally). Ah-ha.
So do you just go through and delete the ones who havent logged in in a while ? Ah. No.
There are issues. You see, if you are on long-term sick leave, off having a baby, or perhaps on sabattical, then its not a good idea to just remove their eMail account. However, armed with a list, it is possible to then do a proper clean-up exercise.. So march off to HR with a printout and a highlighter pen, and get them to pick the folks who've not logged in for a while.. Then its probably safer to remove these people..
Comments
there is an alternative tho' - you can enable license tracking on your R6 and above servers - I believe the information expires out of that database after a period of time, so you have to keep on top of it, but it has the nice advantages of
a) keeping track of pre-R6 users *and* http logins (I think), and
b) it does it all in a separate database maintained on your administration server - so no faffing with the design of your directory.
Posted by Matt At 15:28:39 On 28/04/2007 | - Website - |
Since two-thirds of our users were originally on dialup we have them configured to work on local mail replicas with replication in the background. We've dubbed this "nearline" because they are not working online or fully offline. The only issue with this is that authentication does not happen in the exact same as when you open a database directly on the server, thus the update of policies and the CIntDate field don't get updated. So I have a lot of old dates showing up even for current users. Another thing I noticed was that the CIntDate field type, which is supposed to be a Time/Date List is actually shows as a Text and Text List type for 12 of my users. So that probably means there's a client problem with those users which is blocking the update process. I'll need to research this further.
Posted by Roland Reddekop At 16:48:06 On 28/04/2007 | - Website - |
I suspect early v6 or beta clients actually used text strings, and then someone got slapped for using such shonky, non-international code..
You should see admin4.nsf events being created on authentications - I've pinged a reference off to someone in Westford which might give us a better idea on when this happens.
One last point. In the transition from v5 to v6 (I think), the -Default- ACL for Admin4 required you to allow all users to have at least author access - and I know a lot of earlier environments locked this down. So if this doesnt work for you at all, check this out.
Not only will the last login stuff not work for you, but if you start locking user mailbox ACL levels down to Editor, you'll lose the ability for the users to delegate themselves - as admin4.nsf is used on that functionality as well.
---* Bill
Posted by Wild Bill At 09:07:02 On 29/04/2007 | - Website - |
All our users are 6.5.4 or later.
Another delayed response when authenticating via replication is updates to the local ECL via profiles. Some users receive them 1st replication other have to wait a few days. Some only get these updates after a Manual Refresh.
Posted by AJP At 12:23:57 On 29/04/2007 | - Website - |
Posted by AJP At 12:40:36 On 29/04/2007 | - Website - |
To get the last login date information, I use "License Tracking" (as per comment #1).
Posted by Peter Herrmann At 04:38:48 On 30/04/2007 | - Website - |
This way the assistant can sift through the messages and forward out the client-related stuff.
Then, after a time the assistant will have that person's alias removed.
This way we don't have ID's flying around that are for staff no longer employed.
Posted by Jamie Jenkins At 18:19:20 On 30/04/2007 | - Website - |
I've made use of this information simply to verify the latest installed version of Notes as part of our ongoing ND7 updgrade, but our environment only updates the date the FIRST time a particular machine authenticates with the new version.
In other words, there is something different in our environment that isn't allowing ongoing logins to register on the person document. This may simply be that Default ACL access to admin4.nsf is only Reader, but then why would the first instance of a particular client version be registered?
Getting your approach to work would be very helpful in our current situation, but oh well.
Posted by Kevin Pettitt At 19:22:31 On 30/04/2007 | - Website - |
There's a field held on each person document called ClntDgst (or something like that) - I think the client checks that field, and if the digest is different, then it will submit a client info update request to adminp, as Peter (@6) pointed out. I daresay if that field was deleted from the person document, that may also force the client to submit the adminp request as well.
Posted by Matt At 22:40:47 On 30/04/2007 | - Website - |
Posted by knjknk At 14:44:27 On 22/05/2007 | - Website - |