Many admins use privileged accounts alongside their standard accounts for tasks that require elevated privileges. It may be desirable to have the ability to automatically search out and deprovision these privileged accounts whenever the standard user account is deprovisioned.
This task can be accomplished through the utilization of Workflows in Active Roles. The steps below provide instructions on building a basic sample workflow for this functionality.
Step 1: Create the workflow
Step 2: Configure the Workflow options and start conditions
We now have a workflow that will trigger automatically when any user is deprovisioned. Next, we will add logic to search and locate corresponding privileged admin accounts, if any exists. In the following example, the admin accounts have the same sAMAccountName as the standard account, followed up with .admin (example: Standard account: jsmith / Privileged account: jsmith.admin).
Step 3: Configure the Search activity
At this point the workflow now has the ability to search for any .admin accounts that correspond to the standard account. Next we will add a step that will deprovision any objects found in the search results.
Step 4: Add the deprovisioning step
Now that we have added the Deprovision activity, search results will then be passed on and deprovisioned as well. Please be sure to modify the Filter in step 3 to match the formatting of the privileged accounts in your environment.