Internal Users are not automatically deleted from Symantec Encryption Management Server

book

Article ID: 165138

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption

Issue/Introduction

Users who are no longer in Active Directory remain in Encryption Management Server. This makes the Internal User count inaccurate. If Encryption Management Server uses LDAP Synchronization with Active Directory, it also results in the Groups log in the Reporting / Logs page of the Encryption Management Server administration console containing warnings about users who cannot be found.

The Groups log contains warnings like this:

WARN   pgp/groupd[2761]:       LDAP-00000: failed to map consumer "Example User" (756056ec-7906-4560-bb08-d839c71db118) to a directory

 

Cause

This is by design. Users are not deleted for two main reasons:

  1. Deleting a user also deletes their encryption key.
    • For users with SKM (Server Key Mode) keys, the private key for a user can be exported from the server by an administrator and the administrator can set a passphrase at the time of export. It can therefore be used to decrypt items encrypted by a user who has left the organization. Deleting the user means that the user's key would not be available.
    • For SCKM (Server Client Key Mode) keys, all except a user's signing key can be exported from the server and again the administrator can set the passphrase.
    • For GKM (Guarded Key Mode) keys, a copy of a user's private key can be exported from the server but it will be protected with a passphrase chosen by the user. Hence, if the user has left the organization, this key will probably be of no use.
    • Note that in all cases, if you have configured an ADK (Alternate Decryption Key), it can also be used to decrypt data encrypted by users. However, since the ADK allows any user's data to be decrypted, the private key is not stored on the server. Clearly, the private ADK should be kept in a very secure location but sometimes the private ADK cannot be located. 
  2. If a machine's WDRT (Whole Disk Recovery Token) is required for a user who has left the organization, it is often easier for an administrator to search for the user name rather than the machine name.

Reasons why you may wish to delete user accounts from Encryption Management Server include the following:

  1. Licensing - It is easier to track how many user licenses are needed if only active users are listed in the Encryption Management Server management console.
  2. Performance of the administration console - In very large environments there will be marginal performance improvements when searching for users from the administration console. However, such performance improvements will generally not, by themselves, justify the deletion of user accounts.
  3. Performance when regrouping against Active Directory - When a user is deleted from Active Directory, Encryption Management Server will search Active Directory unsuccessfully for that user each time it regroups. In a large environment, searching for thousands of users that are not in Active Directory can slow down the regrouping process.
  4. Backup performance - Having fewer internal users will speed up backups and result in smaller backup sizes in large environments.
  5. Duplicate email addresses - Encryption Management Server treats email address as a unique identifier so it is possible to find cases where a user with email address [email protected] leaves and someone else with the same email address joins the organization. This can cause problems if the original user account is not deleted from Encryption Management Server. However, this issue should be rare and can be dealt with on a case-by-case basis.

Environment

Symantec Encryption Management Server 10.5 and above.

Resolution

Drive encryption of the C drive does not use PGP keys. Therefore, if a WDRT is needed for a machine whose primary user has been deleted, provided administrators are willing to search by computer name, it is perfectly reasonable to delete drive encryption users who have left the organization.

For users who encrypt data to their key, more careful consideration will be required. Note that removable drives can be encrypted to a key.

Broadcom can supply a script to generate a report of inactive users and, optionally, delete inactive users. The script can delete all users who:

  • Cannot be found in Active Directory

and / or

  • Have not contacted the server for months.

In order to obtain the script, please open a support case.

If you wish only to generate a report, download the file 1631294282085__report_users_not_seen.tar.gz from this article and do the following:

  1. Use WinSCP to upload the file to the /var/lib/ovid/customization directory on Encryption Management Server.
  2. SSH to Encryption Management Server and extract the report_users_not_seen.sh script:
    cd /var/lib/ovid/customization
    tar xfvz 1631294282085__report_users_not_seen.tar.gz
  3. Run the script without arguments to get help:
    ./report_users_not_seen.sh
  4. Run the script with arguments to generate the /var/lib/ovid/customization/report_users_not_seen.csv file. For example, to capture users not seen by Encryption Management Server in the last 12 months and not found in Active Directory by Encryption Management Server:
    ./report_users_not_seen.sh 12 1
  5. To capture users not seen in 12 months regardless of whether Encryption Management Server found them in Active Directory:
    ./report_users_not_seen.sh 12 0
  6. Use WinSCP to download the /var/lib/ovid/customization/report_users_not_seen.csv file and import it into Microsoft Excel or similar.
  7. Spot check the records to check that they match your expectations.

Additional Information

EPG-23205

Attachments

1631294282085__report_users_not_seen.tar.gz get_app