It is possible to accomplish this goal in a solution which contains three parts:
- The creation of a new virtual attribute of type GeneralizedTime. In this example, this is called edsvaDeprovisionDate.
- An update to an existing User Deprovisioning Policy to stamp edsvaDeprovisionDate.
- A scheduled Workflow which runs daily period and which searches for all Users who meet all of the following criteria:
- Are in the target OU
- Currently have a Microsoft Exchange Mailbox
- Are currently Disabled
- Have the edsvaDeprovisionDate attribute populated with a value which equals the current date minus X (ie they were Deprovisioned X days ago).
The edsaDeleteMailbox attribute is set to True for all results. This triggers a soft-delete of a User's mailbox by the associated mail system.
Step 1: Creating the Virtual Attribute
- Select Quest One ActiveRoles | Configuration | Server Configuration | Virtual Attributes
- Right-click on Virtual Attributes and select New | Virtual Attribute
- Set the Common-Name and LDAP Display Name to be edsvaDeprovisionDate (or another name of your choosing) and click Next
- Set the Syntax to be GeneralizedTime and click Next
- Check User and/or any other target classes which are desired and click Next | Next | Finish
- Right-click on Quest One ActiveRoles and click Reconnect so that the virtual attribute is visible in the MMC.
Step 2: Configure the existing Deprovisioning Policy to stamp the Virtual Attribute
In this example, the built-in User Deprovisioning Policy is modified. If a custom Deprovisioning Policy is being leveraged, then modify that one instead.
- Select Quest One ActiveRoles | Configuration | Policies | Administration | Builtin
- Double-click on Built-in Policy - User Default Deprovisioning
- On the Policies tab, click on Make account ineligible for logon and then click on View/Edit
- On the Properties to Be Updated tab, click Add and find edsvaDeprovisionDate
- Check it and click OK
- Select Configure Value | Configure | Add | Date and Time
- Choose the Date and time format: of MMMM d, yyyy and click OK on all open dialog boxes.
NOTE: The above time format is accurate to the day, as the interval being chosen is over a span of many days and a high degree of accuracy is not required. As well, this time format is highly legible, since the date is spelled out rather than referenced by a number. If a smaller interval is desired, a time format which is more accurate should be used.
Step 3: Create the scheduled Workflow
- Select Quest One ActiveRoles | Configuration | Policies | Workflow
- Right-click on Workflow and click on New | Workflow
- Set the name and description to something of your choosing and click Next
- Click On User demand or on a scheduled basis (automation workflow) and click Next | Finish
- Double-click on the new Workflow and click the Configure button under Workflow options and start conditions
- Check Run the workflow on a schedule and set your desired schedule. For example, this Workflow could be run Daily, at 3am, recurring every day.
- Check the box labeled Allow the workflow to be run on demand
- Set the dropdown labeled If the workflow is already running, then the following rule applies to Do not start a new instance and then click OK
- From the Object management section on the left, drag-and-drop a Search activity into the Workflow
- Double-click Search for objects and choose Scope and filter
- In the section labeled Search in the Organizational Unit or container choose Users in the Find dropdown and the OU which contains your Deprovisioned User objects in the In dropdown.
- In the Search options: section under the label Retrieve only these Exchange recipients: click on All recipients
- Check the box labelled Retrieve only these Exchange recipients: then check the box labeled Users with Exchange mailbox and then click OK | OK
- Drag-and-drop an If-Else activity into the Search activity in the Workflow
- Double-click on the If-Else Branch on the left
- In the Conditions section click on the green plus sign to insert a condition
- Click Configure condition to evaluate | Property of object found by search activity
- Set the Target Property to edsaAccountIsDisabled and click OK
- Click Define value to compare to... | TRUE
- Click on the green plus sign to insert another condition
- Click Configure condition to evaluate | Property of object found by search activity
- Set the Target Property to edsvaDeprovisionDate and click OK
- Change equals to less or equal
- Click Define value to compare to... | Workflow date and time
- Set the dropdown labeled Date and time string format: to MMMM d, yyyy (or whichever format was chosen in Step 2 above)
- Click Use the current date and time minus this number of days: and set the number here to the number of days after which you want these Users to have their mailbox removed. For example, you could choose 30 days. This value would then match any Users who were stamped 30 or more days ago. Click OK | OK
- Drag-and-drop an Update activity into the first If-Else branch
- Double-click on Change object properties and choose Activity target | Define | Object found by search activity
- Choose Target properties | Add property and add edsaDeleteMailbox
- Click Define | True
- Click OK | Save Changes