Scenario 1: Disabling and renaming the group upon deprovisioning
The policy described in this scenario performs the following functions during the group deprovisioning process:
-
When deprovisioning a security group, change the type of the group to Distribution.
-
When deprovisioning a distribution group, remove the group from the Global Address List.
-
Append this suffix to the group name: - Deprovisioned, followed by the date when the group was deprovisioned.
For example, the policy changes the group name of Partner Marketing to Partner Marketing - Deprovisioned 12/11/2013.
To implement this scenario, you must perform the following actions:
-
Create and configure the Policy Object that defines the appropriate policy.
-
Apply the Policy Object to a domain, OU, or Managed Unit.
As a result, when deprovisioning a group, Active Roles disables and renames the group as prescribed by this policy.
Configuring the Group Object Deprovisioning Policy Object
You can create and configure the Policy Object you need by using the New Deprovisioning Policy Object Wizard. For information about the wizard, see Creating a Policy Object.
To configure the policy, click Group Object Deprovisioning on the Select Policy Type page of the wizard. Then, click Next.
On the Disable Group page, select these check boxes:
Then, if empty, enter the following name under Rename the group to:
%<name> - Deprovisioned {@date(M/d/yyyy)}
Click Next and follow the instructions in the wizard to create the Policy Object.
Applying the Policy Object
You can apply the Policy Object by using the Enforce Policy page in the New Provisioning Policy Object Wizard, or you can complete the wizard and then use the Enforce Policy command on the domain, OU, or Managed Unit where you want to apply the policy.
For more information on how to apply a Policy Object, see Applying Policy Objects and Managing policy scope.
Scenario 2: Managed Unit for deprovisioned groups
This scenario describes how to configure a Managed Unit and a Group Object Deprovisioning policy so that the Managed Unit includes all deprovisioned groups. The policy sets the Notes property to Deprovisioned upon the deprovisioning of a group, whereas the Managed Unit is configured to include the groups that have the Notes property set to Deprovisioned.
To implement this scenario, you must perform the following actions:
-
Create and configure the Managed Unit.
-
Configure the Policy Object that defines the appropriate policy.
-
Apply the Policy Object to a domain, OU, or Managed Unit.
As a result, after deprovisioning a group, Active Roles automatically adds that group to the Managed Unit you created.