The Orion install I've inherited has stale accounts. These are local Orion accounts, some on the order of over 1,000 days since last login. Is there a way to automatically mark accounts disabled after some period of inactivity.
Thanks
Not built in, but everywhere I've been we just rely on AD integration and don't allow local Orion accounts except for special cases like scripting service accounts and such. That way user admin is effectively just synced with whatever you are doing in AD.
If you really want to set something up then you could set something up in SQL to disable stale users using a query similar to this
select * --update a set accountenabled = 'N'from SolarWindsOrion.dbo.Accounts awhere lastlogin < dateadd(day,-365,getutcdate()) --haven't logged in for over a yearand AccountType = 1 --these are orion local accountsand AccountEnabled = 'Y'
Personally, I'd 'expire' them so you can just re-enable them at a later date.
Because I do as much as possible with the API, this is how you'd do it in PowerShell.
# Number of days since last login to assume the account is 'stale'$NumDays = 365# The query where we get the list of accounts to process$Swql = @"SELECT AccountID , Enabled , Expires , LastLoginFROM Orion.AccountsWHERE Enabled = 'Y' AND AccountID <> '_system' AND AccountID <> 'admin' -- up to you on this one, but you should keep at least one 'Orion' login with a strong password in case you need to troubleshoot AND AccountType = 1 -- Indicates an Orion Native Login AND LastLogin < GETUTCDATE() - $NumDays AND LastLogin > '1900-01-01 23:59:59'ORDER BY AccountID# Build the connection to the API$SwisConnection = Connect-Swis -Hostname "YourOrionServer" -UserName "admin" -Password 'StrongPassword'# or if running directly from the Orion server (probably best for something like this)# $SwisConnection = Connect-Swis -Hostname 'localhost' -Certificate# Get a list of the matching accounts$OldAccounts = Get-SwisData -SwisConnection $SwisConnection -Query $Swql# Cycle through each accountForEach ( $Account in $OldAccounts ) { # Build a hashtable of properties to update # To set the expiration, we only need to send the one $PropertiesToUpdate = @{ # By adding the '.AddDays(-1)' we get "yesterday" - this should eliminate timezone mismatches Expires = ( Get-Date ).AddDays(-1) } Write-Host "Disabling '$( $Account.AccountID )' on '$( $SwisConnection.Channel.via.Host )'" # Update the account with the new expiration $Results = Invoke-SwisVerb -SwisConnection $SwisConnection -EntityName Orion.Accounts -Verb UpdateAccount -Arguments $Account.AccountID, $PropertiesToUpdate # Output a message based on if it said it worked or not if ( $Results.nil ) { Write-Host "Account Expiration set to 'today'" -ForegroundColor Red } else { Write-Error -Message "Something when wrong updating '$( $Account.AccountID )'" }}
Yah, in a perfect world you have groups not users added to Orion from AD or SAML and then something that maintains those groups (could be you looking on a regular schedule, could be scripts, or products that manage idenity based on HR information, etc) so the correct people have the correct access.
