Chat now with support
Chat with Support

Identity Manager 8.0.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory Environments Setting up Active Directory Synchronization Base Data for Managing Active Directory Active Directory Domains Active Directory User Accounts Active Directory Contacts Active Directory groups Active Directory Security IDs Active Directory Container Structures Active Directory computer Active Directory Printers Active Directory Locations Reports about Active Directory Objects Appendix: Configuration Parameters for Managing Active Directory Appendix: Default Project Template for Active Directory Appendix: Authentication Modules for Logging into the One Identity Manager

Disabling Active Directory User Accounts

Disabling Active Directory User Accounts

Table 59: Configuration Parameter for Disabling User Accounts
Configuration parameter Meaning
QER\Person\TemporaryDeactivation This configuration parameter specifies whether user accounts for an employee are locked if the employee is temporarily or permanently disabled.

The way you disable user accounts depends on how they are managed.

Scenario:
  • The user account is linked to employees and is managed through account definitions.

User accounts managed through account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the user account manage level. User accounts with the manage level "Full managed" are disabled depending on the account definition settings. For user accounts with another manage level, modify the column template ADSAccount.AccountDisabled accordingly.

Scenario:
  • The user accounts are linked to employees. No account definition is applied.

User accounts managed through user account definitions are disabled when the employee is temporarily or permanently disabled. The behavior depends on the configuration parameter "QER\Person\TemporaryDeactivation".

  • If the configuration parameter is set, the employee’s user accounts are disabled if the employee is permanently or temporarily disabled.
  • If the configuration parameter is not set, the employee’s properties do not have any effect on the associated user accounts.

To lock a user account when the configuration parameter is disabled

  1. Select the category Active Directory | User accounts.
  2. Select the user account in the result list.
  3. Select Change master data in the task view.
  4. Set the option Account is disabled on the General tab.
  5. Save the changes.
Scenario:
  • User accounts not linked to employees.

To lock a user account, which is not linked to an employee

  1. Select the category Active Directory | User accounts.
  2. Select the user account in the result list.
  3. Select Change master data in the task view.
  4. Set the option Account is disabled on the General tab.
  5. Save the changes.

For more detailed information about deactivating and deleting employees and user accounts, see the One Identity Manager Target System Base Module Administration Guide.

Related Topics

Deleting and Restoring Active Directory User Accounts

Deleting and Restoring Active Directory User Accounts

Objects in Active Directory like, for example user accounts, are issued with a unique identification number that is also linked to entitlements. In the case of domains with function level less than "Windows Server 2008 R2", IDs and connected entitlements are irreversibly lost when a user account is deleted from Active Directory. This makes it difficult to restore user accounts. In the case of domain functional level "Windows Server 2008 R2" and higher, user accounts can be deleted through the recycling bin. This moves the users to the recycle bin and from where they can be restored within a defined period without loss of IDs or entitlements.

When you configure the synchronization project you define whether, when adding an Active Directory object, to first check if the object is in the Active Directory recycling bin and must be restored.

One Identity Manager uses various methods to delete user accounts.

Deleting without an Active Directory Recycle Bin

This method can be applied to all domains that:

  • Do not have a recycle bin because the functional level is less than "Windows Server 2008 R2"

    - OR -

  • The recycling bin is not active for functional level "Windows Server 2008 R2" or higher.

After you have confirmed the security alert the user account is marked for deletion in the One Identity Manager. The user account is locked in One Identity Manager and finally deleted from the One Identity Manager database and the Active Directory depending on the deferred deletion setting.

Deleting through the Active Directory Recycle Bin

This method is applied to domains with functional level "Windows Server 2008 R2" or later and if the recycling bin is active.

After you have confirmed the security alert the user account is marked for deletion in the One Identity Manager. The user account is immediately deleted in Active Directory. The user account is locked in One Identity Manager and once the retention time has expired it is finally deleted in the One Identity Manager database. The retention time is entered in the Retention time option in the domain. If a retention time has not been given, the deferred deletion time is applied.

NOTE: When you delete a user account, an Active Directory SID entry is created in the One Identity Manager.

NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the account definition assignment is removed, the user account created through this account definition, is deleted.

To delete a user account

  1. Select the category Active Directory | User accounts.
  2. Select the user account in the result list.
  3. Delete the user account.
  4. Confirm the security prompt with Yes.

To restore a user account

  1. Select the category Active Directory | User accounts.
  2. Select the user account in the result list.
  3. Click Undo delete in the result list toolbar.

When a user accounts is deleted the configuration parameter defining handling of user directories is taken into account.

  • Check the configuration parameters and modify them as necessary to suit your requirements.
    Table 60: Configuration Parameters for Deleting User Accounts
    Configuration parameter Active Meaning

    QER\Person\User\DeleteOptions

    This configuration parameter to control behavior when users are deleted

    QER\Person\User\DeleteOptions\FolderAnonymPre

    If the delete options specify that a directory or a share should not be deleted, it is renamed and the given prefix is applied.

    QER\Person\User\DeleteOptions\HomeDir

    Deletes the user home directory.

    QER\Person\User\DeleteOptions\HomeShare

    Deletes the user home share.

    QER\Person\User\DeleteOptions\ProfileDir

    Deletes the user profile directory.

    QER\Person\User\DeleteOptions\ProfileShare

    Deletes the user profile share.

    QER\Person\User\DeleteOptions\TerminalHomeDir

    Deletes the user terminal home directory.

    QER\Person\User\DeleteOptions\TerminalHomeShare

    Deletes the user terminal home share.

    QER\Person\User\DeleteOptions\TerminalProfileDir

    Deletes the user terminal profile directory.

    QER\Person\User\DeleteOptions\TerminalProfileShare

    Delete the user terminal profile share.

Configuring Deferred Deletion

By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially disabled. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user account are deleted from the database and cannot be restored anymore. You can configure an alternative delay on the table ADSAccount in the Designer.

Related Topics

Active Directory Contacts

Active Directory Contacts

A contact is a non-security principal. That means a contact cannot log into a domain. A contact, for example, represents a user outside the company and is mainly used for distribution and email purposes.

Related Topics

Entering Master Data for Active Directory Contacts

Entering Master Data for Active Directory Contacts

A contact can be connected to an employee in the One Identity Manager. You can also manage contacts separately from employees.

Note: It is recommended to use account definitions to set up contacts for company employees. If an account definition is used to set up a contact, some of the master data described in the following is composed of the employee’s master data using templates. The amount of data, in this case, is based on the default manage level of the account definitions. The templates supplied should be customized as required.

Note: If employees obtain their contacts through account definitions, they have to have a central user account and obtain their company IT data through assignment to a primary department, primary location or a primary cost center.

To edit contact master data

  1. Select the category Active Directory | Contacts.
  2. Select the contact in the result list and run Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  3. Edit the contact's master data.
  4. Save the changes.

To manually assign or create a contact for an employee

  1. Select the Employees | Employees.
  2. Select the employee from the result list and run Assign Active Directory contacts from the task view.
  3. Assign a contact.

    - OR -

    Select the task New contact and edit the master data.

  4. Save the changes.
Detailed information about this topic

 

Related Documents