When an Employee account is disabled in Identity Manager (both permanently and temporarily), the corresponding Active Directory (AD) account is removed from the target system and the ADSAccount is deleted in the database.
Can this behaviour be overridden? For example, disable the ADSAccount instead of deleting it.
This is the default behaviour, but it can be changed. You can define the desired behaviour in the settings of the account definition, e.g.:
"Retain account" means "keep the account".
If that flag is inactive the account definition assignment will be deleted and that triggers the deletion of the account.
In the example above you have to activate the flag for "permanently disabled" and for "temporarily disabled".
The additional behavior is configurable here:
Here you can define what should happen with locking and group membership in different situations (depending on the manage level).
"Retain groups" means the same as mentioned above: "Keep the groups".