Configuration parameter | Meaning |
---|---|
QER\Person\TemporaryDeactivation | This configuration parameter specifies whether user accounts for an employee are locked if the employee is temporarily or permanently disabled. |
The way you
User accounts managed through account definitions are
User accounts managed through user account definitions are
To lock a user account when the configuration parameter is disabled
To lock a user account, which is not linked to an employee
For more detailed information about deactivating and deleting employees and user accounts, see the One Identity Manager Target System Base Module Administration Guide.
Objects in Active Directory like, for example user accounts, are issued with a unique identification number that is also linked to entitlements. In the case of domains with function level less than "Windows Server 2008 R2", IDs and connected entitlements are irreversibly lost when a user account is deleted from Active Directory. This makes it difficult to restore user accounts. In the case of domain functional level "Windows Server 2008 R2" and higher, user accounts can be deleted through the recycling bin. This moves the users to the recycle bin and from where they can be restored within a defined period without loss of IDs or entitlements.
When you configure the synchronization project you define whether, when adding an Active Directory object, to first check if the object is in the Active Directory recycling bin and must be restored.
One Identity Manager uses various methods to delete user accounts.
This method can be applied to all domains that:
- OR -
After you have confirmed the security alert the user account is marked for deletion in the One Identity Manager. The user account is locked in One Identity Manager and finally deleted from the One Identity Manager database and the Active Directory depending on the deferred deletion setting.
This method is applied to domains with functional level "Windows Server 2008 R2" or later and if the recycling bin is active.
After you have confirmed the security alert the user account is marked for deletion in the One Identity Manager. The user account is immediately deleted in Active Directory. The user account is locked in One Identity Manager and once the retention time has expired it is finally deleted in the One Identity Manager database. The retention time is entered in the Retention time option in the domain. If a retention time has not been given, the deferred deletion time is applied.
|
NOTE: When you delete a user account, an Active Directory SID entry is created in the One Identity Manager. |
|
NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the account definition assignment is removed, the user account created through this account definition, is deleted. |
To delete a user account
To restore a user account
When a user accounts is deleted the configuration parameter defining handling of user directories is taken into account.
Configuration parameter | Active Meaning |
---|---|
QER\Person\User\DeleteOptions |
This configuration parameter to control behavior when users are deleted |
QER\Person\User\DeleteOptions\FolderAnonymPre |
If the delete options specify that a directory or a share should not be deleted, it is renamed and the given prefix is applied. |
QER\Person\User\DeleteOptions\HomeDir |
Deletes the user home directory. |
QER\Person\User\DeleteOptions\HomeShare |
Deletes the user home share. |
QER\Person\User\DeleteOptions\ProfileDir |
Deletes the user profile directory. |
QER\Person\User\DeleteOptions\ProfileShare |
Deletes the user profile share. |
QER\Person\User\DeleteOptions\TerminalHomeDir |
Deletes the user terminal home directory. |
QER\Person\User\DeleteOptions\TerminalHomeShare |
Deletes the user terminal home share. |
QER\Person\User\DeleteOptions\TerminalProfileDir |
Deletes the user terminal profile directory. |
QER\Person\User\DeleteOptions\TerminalProfileShare |
Delete the user terminal profile share. |
By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially disabled. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user account are deleted from the database and cannot be restored anymore. You can configure an alternative delay on the table ADSAccount in the Designer.
A contact is a non-security principal. That means a contact cannot log into a domain. A contact, for example, represents a user outside the company and is mainly used for distribution and email purposes.
A contact can be connected to an employee in the One Identity Manager. You can also manage contacts separately from employees.
|
Note: It is recommended to use account definitions to set up contacts for company employees. If an account definition is used to set up a contact, some of the master data described in the following is composed of the employee’s master data using templates. The amount of data, in this case, is based on the default manage level of the account definitions. The templates supplied should be customized as required. |
|
Note: If employees obtain their contacts through account definitions, they have to have a central user account and obtain their company IT data through assignment to a primary department, primary location or a primary cost center. |
To edit contact master data
- OR -
Click in the result list toolbar.
To manually assign or create a contact for an employee
- OR -
Select the task New contact and edit the master data.
© 2019 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy