You can delete Active Directory user accounts with the Active Roles Console.
To delete a user account
- 
In the Console tree, locate and select the folder that contains the user account you want to delete. 
- 
In the details pane, right-click the user account, then click Delete. 
 
NOTE: Consider the following when deleting a user account:
- 
Deleting an account is a destructive operation that cannot be undone. Once an account is deleted, the permissions and memberships associated with that account are also permanently deleted. Because the security ID (SID) for each account is unique, a new account with the same name as the previously deleted account does not automatically receive the permissions and memberships that the previously deleted account had. To duplicate a deleted account, you must recreate all permissions and memberships manually. 
- 
You can delete multiple objects at the same time by selecting the objects, right-clicking the selection, and clicking Delete. To select multiple objects, press and hold Ctrl, then click each object. If you select multiple objects, clicking Delete displays a dialog. To delete all the selected objects, select the Apply to all items check box, then click Yes. 
- 
Instead of deleting user accounts, you can also deprovision them by selecting the accounts, right-clicking the selection, then clicking Deprovision. 
- 
To locate user accounts for deletion or deprovisioning, use the Find function of Active Roles. Once you found the users, delete or deprovision them by selecting the accounts in the list of search results, right-clicking the selection, and clicking Delete or Deprovision. 
- 
When attempting to delete an object, you may receive an error message that access is denied to the object. This can typically occur if the object is protected from deletion. To remove this protection, navigate to the Properties > Object tab of the object you want to delete, then clear the Protect object from accidental deletion check box. After that, try deleting the object again. 
  
    
Active Roles provides the ability to deprovision rather than delete or only deactivate user accounts. Deprovisioning a user refers to a set of actions that are performed by Active Roles in order to prevent the user from logging in to the network and accessing network resources such as the user mailbox or home folder.
The Deprovision command on a user account updates the account according to the deprovisioning policies. Active Roles comes with a default policy to automate some commonly-used deprovisioning tasks, and allows administrators to configure and apply additional policies.
You can deprovision Active Directory user accounts with the Active Roles Console.
To deprovision a user account
- 
In the Console tree, locate and select the folder that contains the user account you want to deprovision. 
- 
In the details pane, right-click the user account, then click Deprovision. 
- 
Wait while Active Roles updates the user account. 
NOTE: Consider the following when deprovisioning a user account:
- 
You can deprovision multiple accounts at a time. Select two or more user accounts, right-click the selection, then click Deprovision. 
- 
The Deprovision command is also available in the Active Roles Web Interface. When you click the Deprovision command, the operation progress and results are displayed. When the operation is completed, Active Roles displays the operation summary, and allows you to examine operation results in detail. 
- 
On a deprovisioned user account, you can use the Deprovisioning Results command to view a report that lists the actions taken during the deprovisioning of the account. For each action, the report informs about success or failure of the action. In the event of a failure, the report provides a description of the error situation. 
- 
If a deprovisioned user account needs to be restored (for example, if a user account has been deprovisioned by mistake), the account can be reset to the state it was in before the deprovisioning occurred. This can be accomplished by using the Undo Deprovisioning command on the deprovisioned account. 
  
    
Active Roles provides the ability to restore deprovisioned user accounts. The purpose of this operation, referred to as the Undo Deprovisioning operation, is to roll back the changes that were made to a user account by the Deprovision operation. When a deprovisioned user account needs to be restored (for example, if a user account has been deprovisioned by mistake), the Undo Deprovisioning operation allows the account to be restored to the state it was in before the changes were made.
You can restore previously deprovisioned Active Directory user accounts with the Active Roles Console.
To restore a deprovisioned user account
- 
In the Console tree, locate and select the folder that contains the user account you want to restore. 
- 
In the details pane, right-click the user account, then click Undo Deprovisioning. 
- 
In the Password Options dialog, choose the options to apply to the password of the restored account, then click OK. For information about each option, open the Password Options dialog, then press F1. 
- 
Wait while Active Roles restores the user account. When you click the Undo Deprovisioning command, the operation progress and results are displayed. When the operation is completed, Active Roles displays the operation summary, and allows you to examine the operation results in detail. You can view a report that lists the actions taken during the restore operation. For each action, the report informs about success or failure of the action. In the event of a failure, the report provides a description of the error situation. 
  
    
You can use Active Roles to add or remove digital (X.509) certificates from user accounts in Active Directory. By adding a certificate to a user account you make the certificate (including the public key associated with the certificate) available to other Active Directory users and to Active Directory-aware applications and services.
The certificates added to Active Directory user accounts are referred to as published certificates. Published authentication certificates are used by Active Directory domain controllers during certificate-based authentication. Published encryption certificates can be used to enable access to encrypted contents. For instance, in the case of e-mail encryption, the sender retrieves the recipient’s certificate from the Active Directory user account and uses that certificate to encrypt the email message so that the recipient could decrypt the message by using the private key associated with the certificate. A similar process occurs when you want to allow a given user to read an encrypted file. The certificate retrieved from the user account is used to encrypt the file encryption key so that the file encryption key could be obtained by using the private portion of the user’s certificate to decrypt the encrypted key material.
To view or change the list of digital certificates for a particular user account, open the Properties page for that user account in the Active Roles Console or Web Interfaceand go to the Published Certificates tab. From the Published Certificates tab, you can perform the following tasks:
- 
View the list of the certificates published for the user account in Active Directory. 
- 
Examine each of the published certificates in detail. 
- 
Add a certificate from the local certificate store (available in the Console only). 
- 
Add a certificate that is saved in a certificate file. 
- 
Remove a certificate from the user account. 
- 
Copy a published certificate to a certificate file. 
For each of the certificates that are listed on the Published Certificates tab, you can view the following information:
- 
The purposes that the certificate is intended for (available in the Console only). 
- 
The name of the person or company to which the certificate was issued. 
- 
The name of the certification authority that issued the certificate. 
- 
The time period for which the certificate is valid. 
- 
Additional information about the certification authority that issued the certificate, if available. 
- 
The list of all X.509 fields, extensions, and associated properties found in the certificate. 
- 
The hierarchy of certification authorities for the certificate (available in the Console only). 
To add or remove a certificate for a user account using the Active Roles Console
- 
Open the Properties dialog for the user account and click the Published Certificates tab. 
- 
Do the following: 
- 
Click Add from Store to add a certificate from the local certificate store. 
- 
Click Add from File to add a certificate that is saved in a certificate file. 
- 
Select a certificate from the list on the tab and click Remove to remove the certificate. 
 
 
From the Published Certificates page in the Active Roles Console, you can also view or export any of the certificates listed on that page. Select a certificate from the list, then click View Certificate to examine the certificate in detail or click Copy to File to save a copy of the certificate to a file.