You can create and configure the Policy Object you need by using the New Deprovisioning Policy Object Wizard. For information about the wizard, see Creating a Policy Object.
To configure the policy, click Home Folder Deprovisioning on the Select Policy Type page of the wizard. Then, click Next.
On the Options to Deprovision Home Folder page, select both the Remove the user’s permissions on the home folder and Grant the user’s manager read-only access to the home folder check boxes.
Make sure that no other check boxes on the page are selected. Then, click Next and follow the instructions in the wizard to create the Policy Object.
You can apply the Policy Object by using the Enforce Policy page in the New Provisioning Policy Object Wizard, or you can complete the wizard and then use the Enforce Policy command on the domain, OU, or Managed Unit where you want to apply the policy.
For more information on how to apply a Policy Object, see Applying Policy Objects and Managing policy scope.
Policies in this category automate the movement of deprovisioned user accounts to specified Organizational Units. This removes such accounts from the control of administrators who are responsible for management of the Organizational Units in which those accounts originally reside. A policy in this category can also be configured not to move deprovisioned user accounts.
When processing a request to deprovision a user, Active Roles uses this policy to determine whether to move the deprovisioned user account to a different Organizational Unit.
A policy configured to move user accounts also specifies the destination Organizational Unit to which Active Roles moves deprovisioned user accounts.
A policy can be configured not to move user accounts. When applied at a certain level of the directory hierarchy, such a policy overrides any other policy of this category applied at a higher level of the directory hierarchy.
Let us consider an example to clarify this behavior. Suppose you configure a policy to move accounts and apply that policy to a certain parent container. In general, the policy is passed down from parent to child containers, that is, the policy applies to all child containers beneath the parent container, causing Active Rolests from each container. However, if you configure a different policy not to move accounts and apply that new policy to a child container, the child container policy overrides the policy inherited from the parent container. Active Roles does not move deprovisioned user accounts from that child container or any container beneath that child container.