Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Active Roles Integration

Deprovisioning Active Directory User Accounts and Active Directory Groups

Deprovisioning Active Directory User Accounts and Active Directory Groups

One Identity Manager supports deprovisioning through Active Roles. Based on deprovisioning policies configured in the Active Roles an Active Directory object is modified such that it is temporarily or permanently disable and possibly is not deleted until a certain time period has expired. You can find detailed information about Active Roles deprovisioning in your One Identity Active Roles documentation.

NOTE: The deprovisioning policy configuration in Active Roles may conflict with the default One Identity Manager configuration. In this case, make the appropriated customizations, for example, to templates or processes.

The following procedures are implemented for deprovisioning Active Directory user accounts and Active Directory groups with One Identity Manager:

  • Deprovisioning Not Deletion
  • Quick deprovisioning
Detailed information about this topic

Deprovisioning Not Deletion

Deprovisioning Not Deletion

To implement this method

  • Enable the options User accounts deleted by Active Directory workflows and Groups deleted by Active Roles workflows in the Active Roles domains.

When an Active Directory user account or a Active Directory group is deleted in One Identity Manager, a deprovisioning process is generated in the Active Roles instead of the default deletion process. This process queues the Active Directory object for deprovisioning in Active Roles, sets a deprovisioned status and checks the deprovisioning sequence. Active Directory objects continue to be processed in One Identity Manager depending this.

  • If the Active Directory object was deleted immediately in Active Roles, the Active Directory object is also deleted in One Identity Manager.
  • If the Active Directory object in Active Roles was renamed or moved to another Active Directory container, this is done in One Identity Manager as well.

    The Active Directory object remains in the One Identity Manager database with the status "deleted".

To delete a user account

  1. Select the category Active Directory | User accounts.
  2. Select the user account in the result list.
  3. Delete the user account.
  4. Confirm the security prompt with Yes.

To delete an Active Directory group

  1. Select the category Active Directory | Groups.
  2. Select the group in the result list.
  3. Delete the group using .
  4. Confirm the security prompt with Yes.
Related Topics

Quick Deprovisioning

Quick Deprovisioning

You can apply this method if the Active Directory domain is not labeled for deprovisioning. There is a task Deprovision available for every Active Directory user account or Active Directory group for deprovisioning.

A deprovisioning process is generated in Active Roles. This process queues the Active Directory object for deprovisioning in Active Roles, sets a deprovisioned status and checks the deprovisioning sequence. Active Directory objects continue to be processed in One Identity Manager depending this.

  • If the Active Directory object was deleted immediately in Active Roles, the Active Directory object is also deleted in One Identity Manager.
  • If the Active Directory object in Active Roles was renamed or moved to another Active Directory container, this is done in One Identity Manager as well.

    The Active Directory object remains in the One Identity Manager database with the status "changed". All the Active Directory object properties are loaded in the One Identity Manager database by the next synchronization and set to "published".

To deprovision an Active Directory user account

  1. Select the category Active Directory | User accounts.
  2. Select the user account in the result list.
  3. Select Deprovision.
  4. Confirm the security prompt with Yes.
  5. Confirm with OK.

To deprovision an Active Directory group

  1. Select the category Active Directory | Groups.
  2. Select the group in the result list.
  3. Select Deprovision.
  4. Confirm the security prompt with Yes.
  5. Confirm with OK.
Related Topics

Displaying Information about Deprovisioning Active Directory User Accounts and Active Directory Groups

Displaying Information about Deprovisioning Active Directory User Accounts and Active Directory Groups

The following properties are displayed for deprovisioning Active Directory user accounts and Active Directory groups:

Table 11: Deprovisioning Data
Property Description

Deprovisioning status

Status of deprovisioning sequence through Active Roles when an object is deleted. The data is loaded from Active Roles on synchronization.

Status Description

No deprovisioning

The Active Directory object is enabled.

Deprovisioning successful

The Active Directory object was successfully deprovisioned

Deprovisioning failed

An error occurred deprovisioning the Active Directory object.

Deprovisioning date

Status of deprovisioning sequence through an Active Roles when a object is deleted. The information is loaded from the Active Roles during synchronization.

To display master data for deprovisioning an Active Directory user account

  1. Select the category Active Directory | User accounts.
  2. Select the user account in the result list.
  3. Select Change master data in the task view.
  4. Select the tab Active Roles.

To display master data for deprovisioning an Active Directory group

  1. Select the category Active Directory | Groups.
  2. Select the group in the result list.
  3. Select Change master data in the task view.
  4. Select the tab Active Roles.
Related Topics
Related Documents