Identity Manager 8.2 - Administration Guide for Active Roles Integration

Post-processing outstanding objects Adding custom tables to the target system synchronization Managing Active Directory user accounts and Active Directory contacts through account definitions

Troubleshooting Ignoring data error in synchronization

Interaction with Active Roles workflows

Extensions for applying Active Roles workflows Operation ID and status Additional virtual properties in the schema

Interaction with Active Roles policies Managing Active Directory objects

Adding Active Directory groups automatically to the IT Shop Requesting Active Directory groups through the Web Portal Active Roles specific extensions for Active Directory groups Deprovisioning Active Directory user account and Active Directory groups

Deprovisioning not deletion Quick deprovisioning Displaying information about deprovisioning Active Directory user accounts and Active Directory groups

Restoring deprovisioned Active Directory user accounts and Active Directory groups in the One Identity Manager

Deprovisioning Active Directory user accounts and Active Directory groups Restoring deleted objects

Configuration parameters for managing an Active Directory environment Default project template for One Identity Active Roles Active Roles connector settings

Deprovisioning Active Directory user account and Active Directory groups

One Identity Manager supports deprovisioning through Active Roles. Based on deprovisioning policies configured in Active Roles, an Active Directory object is modified such that it is temporarily or permanently disabled and possibly is not deleted until a certain time period has expired. For more information about Active Roles deprovisioning, see your One Identity Active Roles documentation.

NOTE: The deprovisioning policy configuration in Active Roles may conflict with the default One Identity Manager configuration. In this case, make any appropriate adjustments to templates or processes, for example.

The following procedures are implemented for deprovisioning Active Directory user accounts and Active Directory groups with One Identity Manager:

Deprovisioning not deletion
Quick deprovisioning

Detailed information about this topic

Deprovisioning not deletion

To implement this method

In the Manager, on the Active Directory domain, set the User accounts deleted by Active Roles workflows and Groups deleted by Active Roles workflows options.

If an Active Directory user account or an Active Directory group is deleted in One Identity Manager, a deprovisioning process is generated in Active Roles instead of the default deletion process. This process queues the Active Directory object for deprovisioning in Active Roles, sets a deprovisioned status, and checks the deprovisioning sequence. Active Directory objects continue to be processed in One Identity Manager depending this.

If the Active Directory object was deleted immediately in Active Roles, the Active Directory object is also deleted in One Identity Manager.
If the Active Directory object in Active Roles was renamed or moved to another Active Directory container, this is done in One Identity Manager as well.

The Active Directory object remains in the One Identity Manager database with the status deleted.

NOTE: Active Directory user accounts and Active Directory groups that have the Protected from accidental deletion option set cannot be moved or deleted.

To delete a user account

In the Manager, select the Active Directory > User accounts category.
Select the user account in the result list.
Click in the result list.
Confirm the security prompt with Yes.

To delete an Active Directory group

In the Manager, select the Active Directory > Groups category.
Select the group in the result list.
Click in the result list.
Confirm the security prompt with Yes.

Quick deprovisioning

You can apply this method if the Active Directory domain is not marked for deprovisioning. The Deprovision task is provided on these objects for the deprovisioning of individual Active Directory user accounts or Active Directory groups.

A deprovisioning process is generated in Active Roles. This process queues the Active Directory object for deprovisioning in Active Roles, sets a deprovisioned status, and checks the deprovisioning sequence. Active Directory objects continue to be processed in One Identity Manager depending this.

If the Active Directory object was deleted immediately in Active Roles, the Active Directory object is also deleted in One Identity Manager.
If the Active Directory object in Active Roles was renamed or moved to another Active Directory container, this is done in One Identity Manager as well.

The Active Directory object remains in the One Identity Manager database with the status changed. All the Active Directory object properties are loaded in the One Identity Manager database by the next synchronization and set to published.

NOTE: Active Directory user accounts and Active Directory groups that have the Protected from accidental deletion option set cannot be moved or deleted.

To deprovision an Active Directory user account

In the Manager, select the Active Directory > User accounts category.
Select the user account in the result list.
Select the Deprovision task.
Confirm the security prompt with Yes.
Confirm with OK.

To deprovision an Active Directory group

In the Manager, select the Active Directory > Groups category.
Select the group in the result list.
Select the Deprovision task.
Confirm the security prompt with Yes.
Confirm with OK.

Displaying information about deprovisioning Active Directory user accounts and Active Directory groups

The following properties are displayed for deprovisioning Active Directory user accounts and Active Directory groups:

Table 9: Deprovisioning data
Property	Description
Deprovisioning status	Status of deprovisioning sequence through Active Roles when an object is deleted. The data is loaded from Active Roles on synchronization. No deprovisioning: The Active Directory object is active. Deprovisioning successful: The Active Directory object was successfully deprovisioned. Deprovisioning failed: An error occurred while deprovisioning the Active Directory object.
Deprovisioning date	Status of deprovisioning sequence through an Active Roles when a object is deleted. The information is loaded from the Active Roles during synchronization.

To display main data of deprovisioning an Active Directory user account

In the Manager, select the Active Directory > User accounts category.
Select the user account in the result list.
Select the Change main data task.
Select the Active Roles tab.

To display main data of deprovisioning an Active Directory group

In the Manager, select the Active Directory > Groups category.
Select the group in the result list.
Select the Change main data task.
Select the Active Roles tab.

Identity Manager 8.2 - Administration Guide for Active Roles Integration

Deprovisioning Active Directory user account and Active Directory groups

Detailed information about this topic

Deprovisioning not deletion

Related topics

Quick deprovisioning

Related topics

Displaying information about deprovisioning Active Directory user accounts and Active Directory groups

Related topics

Bitte w&auml;hlen Sie Ihr Produkt aus:

Damit wir Ihnen besser helfen können, geben Sie den Grund Ihres Chats an:

Empfohlene Lösungen für Ihr Problem

Identity Manager 8.2 - Administration Guide for Active Roles Integration

Deprovisioning Active Directory user account and Active Directory groups

Detailed information about this topic

Deprovisioning not deletion

Related topics

Quick deprovisioning

Related topics

Displaying information about deprovisioning Active Directory user accounts and Active Directory groups

Related topics

Bitte wählen Sie Ihr Produkt aus: