The behavior of the Undo Deprovisioning operation is determined by a configurable policy contained in a built-in Policy Object. This is the Policy Object named Built-in Policy - Default Rules to Undo User Deprovisioning and located in the Builtin container under Configuration/Policies/Administration. The Policy Object is applied to the Active Directory folder, thus taking effect in all domains that are registered with Active Roles (managed domains).
- Restore group memberships. When selected, causes the Undo Deprovisioning operation on a deprovisioned user account to add the account to the distribution and security groups from which the account was removed in accord with the Group Membership Removal policy. If you do not want restored accounts to be automatically added to groups, clear this option.
Note that regardless of whether this option is selected, once a deprovisioned user account is restored, Active Roles automatically adds the account to the appropriate Dynamic Groups and Group Families depending on properties of the account.
- Leave password unchanged. Causes the Undo Deprovisioning operation on a deprovisioned user account to prevent resetting of the password for the restored account. Select this option if you want the password to be reset by the HelpDesk or by using a self-service password management solution after the account is restored.
- Prompt to reset password. Causes the Undo Deprovisioning operation on a deprovisioned user account to enable resetting of the password for the restored account. If this option is selected, the Undo Deprovisioning command displays a dialog box in which the password can be reset.
- Open the Active Roles console.
- In the console tree, expand Configuration | Policies | Administration, and select Builtin under Administration.
- In the details pane, double-click Built-in Policy - Default Rules to Undo User Deprovisioning.
- On the Policies tab in the Properties dialog box, click the policy in the list, and then click View/Edit to access the policy options.
Since the built-in Policy Object is normally applied to the Active Directory node in the Active Roles namespace, the policy options are in effect on any deprovisioned user account. If you need different policy options for different domains or containers, create a copy of the built-in Policy Object, and then configure and apply the copy as appropriate.
The Undo Deprovisioning operation is normally enabled in all domains that are registered with Active Roles. It is possible to prohibit this operation in individual domains or containers, or in all domains, by blocking or disabling the policy that governs the operation. In case of disabling the built-in Policy Object, an enabled copy of that Policy Object can be applied in order to allow the Undo Deprovisioning operation in individual domains or containers.