Identity management: the big cleanup

Organizations usually start small, grow quickly, acquire, or get acquired and sometimes even get merged. In the end they end up with many user accounts. Common questions when you are a multinational and deal with several identity management solutions:

  • Who is actually working in our organization?
  • Which primary account belongs to a single user?
  • How do we know it’s really belonging to that particular account?
  • What alternative accounts or IDs are there?
  • What systems are supporting this identity chaos?

Getting the answers to these questions can be difficult. People with same names (Hi Mr Smith!) or unaccounted IDs (who is the real jsmith?) to name just two examples.

There are a few tricks to cleanup this identity mess, step by step. However keep in mind that the task won’t be easy and you will face challenges. But in the end it’s worth the efforts, considering identity management being a huge defense to protect your business.

The plan:

Step 1: The “easy” part

  1. Gather all systems responsible for providing IDs (LDAP, AD, NIS, passwd files etc)
  2. Create a list of IDs, including their source or origin, a column to tag a matching group and a column if the account is still active
  3. Check for double IDs from each system and mark them (with a color, or tag)
  4. Mark also the ones who are unknown, possibly with the reason why nothing can be found
  5. Mark all (known) functional accounts
  6. For the known ones determine if the person is still working for the company. If not, mark them to be disabled later, all others marked as Found and in the last column as active

Step 2: The serious part

  1. From the double entries, check if they might be different identities, or belong to the same user
  2. Determine how to deal with different account IDs
  3. Determine which legacy identity management systems can be decommissioned after the cleanup
  4. Map each ID to a real person where possible and also mark them (e.g. Found)
  5. Check what has to be done with the functional or system accounts

Step 3: Communicate

Involve your management, HR, IT and other key users who can support the cleanup project. Then start communicating your end-users that you will do cleanup rounds. Explain all parties why this is done and what people should do if things suddenly don’t work anymore after the announced date(s).

Step 4: Execute

Create backups, disable accounts, turn off old systems. Then wait, monitor event logs and the incident queue of your helpdesk.


  • Use HR to determine which people are working in the company. Have them closely involved in the process to protect the privacy of the individuals, but also to request account details (e.g. Mike’s first name, is it really Mike, or Michael).
  • Have management support and the right mandate to perform the activities
  • Use management, department heads and team leads to monitor the access and permissions after the changes.
  • When in doubt, disable an account. You don’t want ghost accounts to be (ab)used.
  • Automate where possible, like data extraction, searching in and comparing against LDAP directory, or authorization groups etc. Hire a good scripting guru will hugely benefit the project.
  • Make sure that IT or the first line helpdesk support are involved to deal with disabled accounts.

Good luck!