Updating employees when Active Directory user account are modified
In One Identity Manager, modifications to employee properties are forwarded to the associated user accounts and subsequently provisioned in Active Directory. In certain circumstances, it may be necessary to forward user account modifications in Active Directory to employee properties in One Identity Manager.
Example
During testing, user accounts from Active Directory are only read into One Identity Manager and employees created. User account administration (creating, modifying, and deleting) should be done later through One Identity Manager. During testing, user accounts are modified further in Active Directory, which can lead to drifts in user account properties and employee properties. Due to this, user account modifications loaded on resynchronization should be temporarily published to employees who are already created. This means data is not lost when user account administration is put into effect through One Identity Manager.
To update employees when user accounts are modified
- In the Designer, set the TargetSystem | ADS | PersonUpdate configuration parameter.
Modifications to user accounts are loaded into One Identity Manager during synchronization. These modifications are forwarded to the associated employees through subsequent scripting and processing.
NOTE: When making changes to user accounts, the employees are only updated for user accounts with the Unmanaged manage level and that are linked to an employee.
NOTE: Only the employee created by the modified user account is updated. The data source from which the employee was created is shown in the Import data source property. If other user accounts are assigned to the employee, changes to these user accounts do not cause the employee to be update.
User account properties are mapped to employee properties using the VI_PersonUpdate_ADSAccount script. Contact properties are mapped to employee properties using the ADS_PersonUpdate_ADSContact script. To adjust the mapping more easily, the scripts can be overwritten.
To customize, create a copy of the respective script and start the script coding follows:
Public Overrides Function ADS_PersonUpdate_ADSAccount(ByVal UID_Account As String,OldAccountDN As String, ProcID As String)
This redefines the script and overwrites the original. The process does not have to be changed in this case.
Automatic creation of departments and locations based on user account information
You can create new departments and locations in One Identity Manager based on user account department and location data. Furthermore, departments, and locations are assigned to employees of the user accounts as primary department and primary location. These employees can obtain their company resources through these assignments if One Identity Manager is configured correspondingly.
Prerequisites for using this method
Employees must be created automatically when user accounts are added or modified. At least one of the following configuration parameters must be activated and the corresponding method implemented.
Table 48: Configuration Parameter for Automatic Employee Assignment
TargetSystem | ADS | PersonAutoDefault |
Automatic employee assignment for user accounts added to the database outside synchronization based on the given mode. |
TargetSystem | ADS | PersonAutoFullsync |
Automatic employee assignment for user accounts created or updated in the database as a result of the synchronization based on the given mode. |
TargetSystem | ADS | PersonUpdate |
Ongoing update of employee objects from linked user accounts. |
To implement this method
- In the Designer, set the TargetSystem | ADS | AutoCreateDepartment configuration parameter to generate departments from the user account information.
- In the Designer, set the TargetSystem | ADS | AutoCreateLocality configuration parameter to generate locations from the user account information.
Related topics
Disabling Active Directory user accounts
The way you disable user accounts depends on how they are managed.
Scenario:
User accounts managed through account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. Accounts with the Full managed manage level are disabled depending on the account definition settings. For user accounts with a manage level, configure the required behavior using the template in the ADSAccount.AccountDisabled column.
Scenario:
User accounts managed through user account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the QER | Person | TemporaryDeactivation configuration parameter
-
If the configuration parameter is set, the employee’s user accounts are disabled when the employee is permanently or temporarily disabled.
-
If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.
To disable the user account when the configuration parameter is disabled
-
In the Manager, select the Active Directory | User accounts category.
-
Select the user account in the result list.
-
Select the Change master data task.
-
On the General tab, set the Account is disabled option.
- Save the changes.
Scenario:
- User accounts not linked to employees.
To disable a user account that is no longer linked to an employee
-
In the Manager, select the Active Directory | User accounts category.
-
Select the user account in the result list.
-
Select the Change master data task.
-
On the General tab, set the Account is disabled option.
- Save the changes.
For more detailed information about deactivating and deleting employees and user accounts, see the One Identity Manager Target System Base Module Administration Guide.
Related topics
Deleting and restoring Active Directory user accounts
Objects in Active Directorysuch as, for example user accounts, are issued with a unique identification number that is also linked to entitlements. For domains with functional levels below Windows Server 2008 R2, when user accounts are deleted in Active Directory, the ID and the associated authorizations are irreversibly lost. This makes it difficult to restore user accounts. For domains from the functional level Windows Server 2008 R2 and above, user accounts can be deleted using the recycling bin. This moves the users to the recycle bin and from where they can be restored within a defined period without loss of IDs or entitlements.
When you configure the synchronization project you define whether, when adding an Active Directory object, the system should first check if the object is in the Active Directory recycling bin and can be restored.
One Identity Manager uses various methods for deleting user accounts.
Deleting without an Active Directory recycle bin
This method can be applied to all domains that:
- Have a functional level below Windows Server 2008 R2 and therefore no recycling bin is available.
- OR-
- Have a functional level from Windows Server 2008 R2 and above but the recycling bin is not activated.
After you have confirmed the security alert, the user account is marked for deletion in One Identity Manager. The user account is locked in One Identity Manager and finally deleted from the One Identity Manager database and the Active Directory depending on the deferred deletion setting.
Deleting with the Active Directory recycle bin
This method is used for domains from the functional level Windows Server 2008 R2, in which the recycling bin is activated.
After you have confirmed the security alert, the user account is marked for deletion in One Identity Manager. The user account is locked in One Identity Manager and is finally deleted from the One Identity Manager database once the deferred deletion time has expired. In Active Directory, the user account is moved into the recycling bin and is finally deleted from Active Directory once the deferred deletion time has expired. The retention time for objects in the recycling bin is entered in the domain in the Retention period property.
NOTE: When you delete a user account, an Active Directory SID entry is created in One Identity Manager.
NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the assignment of an account definition is removed, the user account that was created from this account definition is deleted.
To delete a user account
- Select the Active Directory | User accounts category.
- Select the user account in the result list.
- Delete the user account.
- Confirm the security prompt with Yes.
To restore a user account
- Select the Active Directory | User accounts category.
- Select the user account in the result list.
- Click Undo delete in the result list toolbar.
When a user accounts is deleted the configuration parameter defining handling of user directories is taken into account.
- Check the configuration parameters and modify them as necessary to suit your requirements.
Table 49: Configuration parameters for deleting user accounts
QER | Person | User | DeleteOptions |
This configuration parameter to control behavior when users are deleted |
QER | Person | User | DeleteOptions | FolderAnonymPre |
If the delete options specify that a directory or a share should not be deleted, it is renamed and the given prefix is applied. |
QER | Person | User | DeleteOptions | HomeDir |
Deletes the user home directory. |
QER | Person | User | DeleteOptions | HomeShare |
Deletes the user home share. |
QER | Person | User | DeleteOptions | ProfileDir |
Deletes the user profile directory. |
QER | Person | User | DeleteOptions | ProfileShare |
Deletes the user profile share. |
QER | Person | User | DeleteOptions | TerminalHomeDir |
Deletes the user terminal home directory. |
QER | Person | User | DeleteOptions | TerminalHomeShare |
Deletes the user terminal home share. |
QER | Person | User | DeleteOptions | TerminalProfileDir |
Deletes the user terminal profile directory. |
QER | Person | User | DeleteOptions | TerminalProfileShare |
Delete the user terminal profile share. |
Configuring deferred deletion
By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially disabled. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore. In the Designer, you can set an alternative delay on the ADSAccount table.
Related topics