Have a policy and procedure for creating new users and groups.
Questions to ask:
-
Who gets accounts on which machines?
Who decides this?
Who is actually authorized to create the accounts?
-
Are accounts local to a system/location, or global
(to the organization)?
-
Are all accounts centrally managed, or can local SAs administer local accounts
(and with what policies)?
-
Are the policies and procedures different for local versus global accounts?
-
What is the procedure to request a new account (or disable or remove an account)?
-
When do accounts expire?
-
How are account names chosen (the naming policy)?
-
What is the password policy (who can change them,
when do they expire, what is the required strength)?
-
How many accounts may a single user request at one time?
(Answer: one)
-
May accounts be shared? (Answer: no)
-
How much disk space does a user get?
What happens if they exceed their quotas?
-
What email access is available (web mail, IMAP, POP, SMTP, ...)?
-
What printer access is provided (how many pages, to which printers,
and at which time of the day)?
-
From which workstation(s) may the account be used?
-
Is remote access provided for this user?
-
Is accounting to be used for this user?
If so, how much capacity can be used and for what?
-
What additional access does the user require?
(To which additional groups should the user be added?)
Note additional access may require additional configuration:
database access, administration access, physical access to machines,
Kerberos (Samba) access, NFS access, email access,
protected website access, FTP access,
crontab
/at
access,
remote (dialup/VPN) access, Internet access, other server access, etc.