About Group Membership Removal
Group Membership Removal policies automate the removal of deprovisioned user accounts from groups. You can configure such policies to remove user accounts from all groups, with optional exceptions.
When configuring a Group Membership Removal policy, you can configure policy rules separately for security groups and mail-enabled groups in the New Deprovisioning Policy Object Wizard.
When processing a request to deprovision a user, Active Roles uses this policy to determine what changes are to be made to group memberships of the user account. By removing the account from security groups, the policy revokes user access to resources. By removing the account from mail-enabled groups, the policy prevents erroneous situations where email is sent to the deprovisioned mailbox.
IMPORTANT: The deprovisioned users are automatically removed from all Dynamic Groups, regardless of the Group Membership Removal policy settings.
A Group Membership Removal policy includes separate rules for security groups and for mail-enabled groups. For each category of groups, a rule can instruct Active Roles to perform one of the actions that are summarized in the following table.
Table 9: Group Membership Removal policy includes separate rules
Security groups |
Do not remove from groups. |
The deprovisioned user remains in all security groups it was a member of as of the time of deprovisioning, except for the Dynamic Groups. |
Remove from all groups. |
The deprovisioned user is removed from all security groups. |
Remove from all groups except for the specified ones. |
The deprovisioned user is not removed from the specified security groups, with the exception of Dynamic Groups. The user is removed from all the other security groups. |
Mail-enabled groups |
Do not remove from groups. |
The deprovisioned user is not removed from distribution groups or mail-enabled security groups, except for the Dynamic Groups. |
Remove from all groups. |
The deprovisioned user is removed from all distribution groups and from all mail-enabled security groups. |
Remove from all groups except for the specified ones. |
The deprovisioned user is not removed from the specified distribution or mail-enabled security groups, with the exception of Dynamic Groups. The user is removed from all the other distribution and mail-enabled security groups. |
In the event of a conflict in policy implementation, the remove action takes precedence. For example, with a rule configured to remove the user account from all security groups, the user account is removed from all security groups even if there is another rule according to which Active Roles does not remove the user account from mail-enabled security groups.
Another conflict may occur in the situation where a policy of this category attempts to remove a deprovisioned user from a group that is configured as an Active Roles Dynamic Group. For more information, see Dynamic groups in the Active Roles Administration Guide.
The Dynamic Group policy detects the removal, and might add the deprovisioned user back to the Dynamic Group. To avoid this, Active Roles does not allow Dynamic Groups to hold deprovisioned users. Once a user is deprovisioned, the user account is removed from all Dynamic Groups.
For more information on configuring this Policy Object, see Configuring a Group Membership Removal policy in the Active Roles Administration Guide.
About User Account Relocation
User Account Relocation policies automate the movement of deprovisioned user accounts to specified Organizational Units. This removes deprovisioned user accounts from the control of administrators who are responsible for managing the Organizational Units in which those user accounts were originally located. However, you can also configure this policy not to move deprovisioned user accounts.
When processing a request to deprovision a user, Active Roles uses this policy to determine whether to move the deprovisioned user account to a different Organizational Unit.
A policy configured to move user accounts also specifies the destination Organizational Unit to which Active Roles moves deprovisioned user accounts.
A policy can be configured not to move user accounts. When applied at a certain level of the directory hierarchy, such a policy overrides any other policy of this category applied at a higher level of the directory hierarchy.
Let us consider an example to clarify this behavior. Suppose you configure a policy to move accounts and apply that policy to a certain parent container. In general, the policy is passed down from parent to child containers, that is, the policy applies to all child containers beneath the parent container, causing Active Roles to move deprovisioned user accounts from each container. However, if you configure a different policy not to move accounts and apply that new policy to a child container, the child container policy overrides the policy inherited from the parent container. Active Roles does not move deprovisioned user accounts from that child container or any container beneath that child container.
For more information on configuring this Policy Object, see Configuring a User Account Relocation policy in the Active Roles Administration Guide.
About Exchange Mailbox Deprovisioning
Exchange Mailbox Deprovisioning policies automate the deprovisioning of Microsoft Exchange resources for deprovisioned users. When activated, the policy:
-
Hides deprovisioned users from address lists.
-
Prevents sending non-delivery reports.
-
Grants the designated persons full access to deprovisioned mailboxes.
-
Redirects email messages sent to deprovisioned users.
-
Forces the mailbox of the deprovisioned user to send automatic replies.
As such, the policy is meant to reduce the amount of email messages sent to the deprovisioned mailbox, and to authorize designated persons to monitor the mailbox of the deprovisioned user.
When processing a request to deprovision a user, Active Roles uses this policy to determine the Exchange mailbox deprovisioning options, and then updates the user account and mailbox accordingly.
The available mailbox-deprovisioning options are summarized in the following table. For each option, the table outlines the policy effect on a user mailbox.
Table 10: Policy effect on a user’s mailbox
Hide the mailbox from the Global Address List (GAL), to prevent access to the mailbox |
Prevents the deprovisioned user from appearing in your Exchange organization’s address lists. If you select this option, the deprovisioned user is hidden from all address lists.
This option renders the mailbox inaccessible. You cannot log on to Exchange Server as the mailbox user or otherwise access the hidden mailbox. |
Prevent non-delivery reports (NDR) from being sent |
Prevents non-delivery reports from being generated when emails are sent to the deprovisioned mailbox. (Non-delivery report is a notice that a message was not delivered to the recipient.) |
Grant the user’s manager full access to the mailbox |
Provides the person designated as the deprovisioned user’s manager with full access to the mailbox of that user. The manager is determined based on the Manager attribute of the deprovisioned user account in Active Directory. |
Grant the selected users or groups full access to the mailbox |
Provides the specified users or groups with full access to the deprovisioned user mailbox. |
Disallow forwarding messages to alternate recipients |
Email addressed to the deprovisioned user is not forwarded to an alternate recipient. |
Forward all incoming messages to the user’s manager |
E-mail addressed to the deprovisioned user is forwarded to the user’s manager. The manager is determined based on the Manager attribute of the deprovisioned user account in Active Directory. |
Leave copies in the mailbox |
Email addressed to the deprovisioned user is delivered to both the mailbox of the user’s manager and the mailbox of the deprovisioned user. If you do not select this option, such email is only delivered to the manager’s mailbox. |
Don’t change the mailbox autoreply settings |
Active Roles makes no changes to the Automatic Replies configuration of the mailbox. Thus, if the mailbox is configured to send automatic replies, deprovisioning the mailbox user does not cause the mailbox to stop sending automatic replies. |
Auto-reply with the following messages (once for each sender) |
Active Roles configures the mailbox to send the Automatic Replies messages specified by the policy. This option provides for the following policy settings:
-
The Automatic Replies message that is sent to senders within the organization.
-
Whether to send an Automatic Replies message to senders outside of the organization (external senders).
-
Whether to send an Automatic Replies message to all external senders or only to the user’s contacts.
-
The Automatic Replies message that is sent to external senders. |
For more information on configuring this Policy Object, see Exchange Mailbox Deprovisioning in the Active Roles Administration Guide.
About Home Folder Deprovisioning
Home Folder Deprovisioning policies automate the following steps when deprovisioning users:
-
Revoke access to home folders from deprovisioned user accounts.
-
Grant the designated persons read access to deprovisioned home folders.
-
Change the ownership on deprovisioned home folders.
-
Delete the deprovisioned home folders.
When configuring Home Folder Deprovisioning policies, you can specify:
When processing a request to deprovision a user, Active Roles uses this policy to determine the home folder deprovisioning options, and then updates the configuration of the user’s home folder accordingly.
The available home folder deprovisioning options are summarized in the following table. For each option, the table outlines the policy effect on the user’s home folder.
Table 11: Policy effect on the user’s home folder
Remove the user’s permissions on the home folder |
Modifies the home folder security so that the deprovisioned user cannot access their home folder. |
Grant the user’s manager read access to the home folder |
Makes it possible for the person designated as the deprovisioned user’s manager to view and retrieve data from the home folder of that user. The manager is determined based on the Manager attribute of the deprovisioned user account in Active Directory. |
Grant selected users or groups read access to the home folder |
Makes it possible for the specified users or groups to view and retrieve data from the deprovisioned user’s home folder. |
Make the selected user or group the owner of the home folder |
Designates the specified user or group as the owner of the deprovisioned user’s home folder. The owner is authorized to control how permissions are set on the folder, and can grant permissions to others. |
Delete the home folder when the user account is deleted |
Upon the deletion of a user account, analyzes whether the user’s home folder is empty, and then deletes or retains the home folder, depending on the policy configuration. A policy can be configured to only delete empty folders. Another option is to delete both empty and non-empty folders. |
For more information on configuring this Policy Object, see Configuring a Home Folder Deprovisioning policy in the Active Roles Administration Guide.