Disabling Active Directory User Accounts

Disabling Active Directory User Accounts

The way you disable user accounts depends on how they are managed.

Scenario:

• The user account is linked to employees and is managed through account definitions.

User accounts managed through account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. User accounts with the manage level "Full managed" are disabled depending on the account definition settings. For user accounts with another manage level, modify the column template ADSAccount.AccountDisabled accordingly.

Scenario:

• The user accounts are linked to employees. No account definition is applied.

User accounts managed through user account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the configuration parameter "QER\Person\TemporaryDeactivation".

• If the configuration parameter is set, the employee’s user accounts are disabled if the employee is permanently or temporarily disabled.
• If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.

To lock a user account when the configuration parameter is disabled

1. Select the category Active Directory | User accounts.
2. Select the user account in the result list.
3. Select Change master data in the task view.
4. Set the option Account is disabled on the General tab.
5. Save the changes.

Scenario:

• User accounts not linked to employees.

To lock a user account, which is not linked to an employee

1. Select the category Active Directory | User accounts.
2. Select the user account in the result list.
3. Select Change master data in the task view.
4. Set the option Account is disabled on the General tab.
5. Save the changes.

For more detailed information about deactivating and deleting employees and user accounts, see the One Identity Manager Target System Base Module Administration Guide.

Related Topics

• Setting Up Account Definitions
• Setting Up Manage Levels
• Deleting and Restoring Active Directory User Accounts

Deleting and Restoring Active Directory User Accounts

Deleting and Restoring Active Directory User Accounts

Objects in Active Directory like, for example user accounts, are issued with a unique identification number that is also linked to entitlements. In the case of domains with function level less than "Windows Server 2008 R2", IDs and connected entitlements are irreversibly lost when a user account is deleted from Active Directory. This makes it difficult to restore user accounts. In the case of domain functional level "Windows Server 2008 R2" and higher, user accounts can be deleted through the recycling bin. This moves the users to the recycle bin and from where they can be restored within a defined period without loss of IDs or entitlements.

When you configure the synchronization project you define whether, when adding an Active Directory object, to first check if the object is in the Active Directory recycling bin and must be restored.

One Identity Manager uses various methods to delete user accounts.

Deleting without an Active Directory Recycle Bin

This method can be applied to all domains that:

• Do not have a recycle bin because the functional level is less than "Windows Server 2008 R2"

  - OR -

• The recycling bin is not active for functional level "Windows Server 2008 R2" or higher.

After you have confirmed the security alert the user account is marked for deletion in the One Identity Manager. The user account is locked in One Identity Manager and finally deleted from the One Identity Manager database and the Active Directory depending on the deferred deletion setting.

Deleting through the Active Directory Recycle Bin

This method is applied to domains with functional level "Windows Server 2008 R2" or later and if the recycling bin is active.

After you have confirmed the security alert the user account is marked for deletion in the One Identity Manager. The user account is immediately deleted in Active Directory. The user account is locked in One Identity Manager and once the retention time has expired it is finally deleted in the One Identity Manager database. The retention time is entered in the Retention time option in the domain. If a retention time has not been given, the deferred deletion time is applied.

To delete a user account

1. Select the category Active Directory | User accounts.
2. Select the user account in the result list.
3. Delete the user account.
4. Confirm the security prompt with Yes.

To restore a user account

1. Select the category Active Directory | User accounts.
2. Select the user account in the result list.
3. Click Undo delete in the result list toolbar.

When a user accounts is deleted the configuration parameter defining handling of user directories is taken into account.

• Check the configuration parameters and modify them as necessary to suit your requirements.

  Table 60: Configuration Parameters for Deleting User Accounts

  Configuration parameter	Active Meaning
  QER\Person\User\DeleteOptions	This configuration parameter to control behavior when users are deleted
  QER\Person\User\DeleteOptions\FolderAnonymPre	If the delete options specify that a directory or a share should not be deleted, it is renamed and the given prefix is applied.
  QER\Person\User\DeleteOptions\HomeDir	Deletes the user home directory.
  QER\Person\User\DeleteOptions\HomeShare	Deletes the user home share.
  QER\Person\User\DeleteOptions\ProfileDir	Deletes the user profile directory.
  QER\Person\User\DeleteOptions\ProfileShare	Deletes the user profile share.
  QER\Person\User\DeleteOptions\TerminalHomeDir	Deletes the user terminal home directory.
  QER\Person\User\DeleteOptions\TerminalHomeShare	Deletes the user terminal home share.
  QER\Person\User\DeleteOptions\TerminalProfileDir	Deletes the user terminal profile directory.
  QER\Person\User\DeleteOptions\TerminalProfileShare	Delete the user terminal profile share.

Configuring Deferred Deletion

By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially disabled. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user account are deleted from the database and cannot be restored anymore. You can configure an alternative delay on the table ADSAccount in the Designer.

Related Topics

• Disabling Active Directory User Accounts
• Deleting and Restoring Active Directory Contacts
• Active Directory Security IDs
• Creating a Synchronization Project for initial Synchronization of an Active Directory Domain

Active Directory Contacts

Active Directory Contacts

A contact is a non-security principal. That means a contact cannot log into a domain. A contact, for example, represents a user outside the company and is mainly used for distribution and email purposes.

Related Topics

• Entering Master Data for Active Directory Contacts
• Linking User Accounts to Employees
• Supported User Account Types

Entering Master Data for Active Directory Contacts

Entering Master Data for Active Directory Contacts

A contact can be connected to an employee in the One Identity Manager. You can also manage contacts separately from employees.

To edit contact master data

1. Select the category Active Directory | Contacts.
2. Select the contact in the result list and run Change master data in the task view.

   - OR -

   Click in the result list toolbar.

3. Edit the contact's master data.
4. Save the changes.

To manually assign or create a contact for an employee

1. Select the Employees | Employees.
2. Select the employee from the result list and run Assign Active Directory contacts from the task view.
3. Assign a contact.

   - OR -

   Select the task New contact and edit the master data.

4. Save the changes.

Detailed information about this topic

• General Master Data for Active Directory Contacts
• Contact Data for Active Directory Contacts
• Further Identification Data
• Extensions Data for Active Directory Contacts