wiki:RemovingUsers

Version 2 (modified by joshuadf, 12 years ago) (diff)

--

We don't actually remove users as such; we disable accounts and archive their data for future reference.

Archiving the home directory

Old home directories are kept in /usr/local/data/archive/people/ on vagal. The top level in that directory is the username (e.g., darren). Next level is machine name, which contains the users /home/ files from that machine. To find the default home directory in LDAP, use ldapsearch -xLLL '(uid=darren)' If they have more than one home directory (NeXT, SGI, MacOS, etc.) there will be more than one machine name.

For example, darren's former home directory on sulcus would be /usr/local/data/archive/people/darren/sulcus. You can transfer the files with rsync over ssh, for example:

ssh vagal
cd /usr/local/data/archive/people/
eval `ssh-agent`; ssh-add
mkdir -p darren/sulcus
rsync -Sa --numeric-ids -e ssh -c blowfish sulcus:/home/darren /usr/local/data/archive/people/darren/sulcus

On vastus, you probably want to copy the whole tree of their home directory as links, which is the same way each day's backups works. This way a large home directory is not recreated in /usr/local/data/archive/people/:

ssh vastus
cd /data/rsync-data/current/vagal/usr/local/data/archive/people/
mkdir -p darren/sulcus
cp -al /data/rsync-home/current/sulcus/home/darren/ sulcus/darren

After copying the files, add an entry in the /usr/local/data/archive/people/README, delete the home directory from the old machine, and disable the account in LDAP.

LDAP

To disable an LDAP account, move the ou=username People and Group entries to LockedPeople and LockedGroup. The easiest way to do this is with the Java LDAP Browser. Open it and expand ou=People and find the user (you may want to go to View|Sort to alphabetize them). Select the ou=username entry on the left and click Edit|Move Entry... In the popup, change People to LockedPeople, check the New DN box, then click the Move button. Follow the same procedure for the Group entry.

Windows Domain

  1. Log into a Domain Controller (currently viscus or dura)
  2. Open Administrative Tools -> Active Directory Users and Computers (make sure it's not Local Users, if so you're on the wrong machine)
  3. Right-click the user and select Disable Account.
  4. Put their Windows files in the archive?