Deprovisioning privileged admin accounts alongside standard accounts (4258576)

Many admins use privileged accounts alongside their standard accounts for tasks that require elevated privileges. It may be desirable to have the ability to automatically search out and deprovision these privileged accounts whenever the standard user account is deprovisioned.

This task can be accomplished through the utilization of Workflows in Active Roles. The steps below provide instructions on building a basic sample workflow for this functionality. 

Step 1: Create the workflow

1. In the Active Roles MMC, navigate to Configuration | Policies | Workflow
2. Right click the workflow container of choice, and select New > Workflow
3. Provide an appropriate Name and Description for your workflow
4. For the Workflow Type, select Upon a request to change data in the directory (change workflow)
5. Click Finish to complete

Step 2: Configure the Workflow options and start conditions

1. Click on the newly create workflow, the activities pane should appear to the right
2. Towards the top, select the Workflow options and start conditions drop-down
3. Click the Configure button
4. Click the Select operation button
5. Select Deprovision
6. Click Finish
7. Click OK

We now have a workflow that will trigger automatically when any user is deprovisioned. Next, we will add logic to search and locate corresponding privileged admin accounts, if any exists. In the following example, the admin accounts have the same sAMAccountName as the standard account, followed up with .admin (example: Standard account: jsmith / Privileged account: jsmith.admin).

Step 3: Configure the Search activity

1. Drag a Search activity from the left hand sidebar, onto the line directly below/after the Operation Execution activity in the workflow
2. Double-Click on the newly created Search for objects activity to open it's Properties
3. Click on the Scope and filter tab on the left
4. In the Find: drop-down menu, change the selection to Users
5. Configure the When searching the Organizational Unit or container: option to Retrieve any objects held in the Organizational Unit or container
6. In the Search options: Filter pane, click the green + mark to add a search condition
7. Click on the red Configure condition to evaluate text
8. Select Logon Name (pre-Windows 2000) (sAMAccountName) from the menu
9. Click on the red Define value to compare to text
10. Select Value generated by rule expression from the menu
11. Click Add entry and select Property of object from workflow data context... from the menu
12. Next to Target object: click on Click to choose and select Workflow Target
13. Next to Target Property: click on Click to choose and select Logon Name (pre-Windows 2000) (sAMAccountName)
14. Click OK
15. Click Add entry and Text String
16. Input .admin
17. Click OK and then OK again

At this point the workflow now has the ability to search for any .admin accounts that correspond to the standard account. Next we will add a step that will deprovision any objects found in the search results.

Step 4: Add the deprovisioning step

1. Drag a Deprovision activity from the left hand sidebar, onto the Drop Activities Here text inside of the Search activity box
2. Double-Click on the newly created Deprovision activity to open it's Properties
3. Click on Workflow Target and select Object found by search activity from the menu
4. Click OK
5. Click Save Changes

Now that we have added the Deprovision activity, search results will then be passed on and deprovisioned as well. Please be sure to modify the Filter in step 3 to match the formatting of the privileged accounts in your environment.