Identity and Active Directory management

Tutorials

Automatically Deprovision Inactive AD Users

To improve security and comply with regulatory requirements, it is necessary to handle inactive AD user accounts in a timely manner. Instead of disabling or deleting inactive user accounts, it is highly recommended to properly deprovision users and their data. For example, you may want to delete the home folder of a terminated user, forward the user's email to his/her manager, hide the user's mailbox from GAL, etc.

Using the Scheduled Tasks feature of Adaxes you can automate management of inactive user accounts in Active Directory. With the help of the built-in Scheduled Task called Inactive User Deleter you can automate the process of deprovisioning and further deletion of inactive user accounts. In this tutorial you'll learn how to customize the task and how to modify approval options for its execution.

If some undesired changes were made to a built-in Scheduled Task, you can discard all changes made to this task. To do this, right-click the task and click Restore to Initial State in the context menu.

Launch Adaxes Administration Console, expand Adaxes service \ Configuration \ Scheduled Tasks \ Builtin. Select the Inactive User Deleter task.


By default, the task is disabled. To enable the task, right-click it, point to All Tasks, and click Enable.


If necessary, modify actions and conditions of the task. The actions and conditions are displayed in the Result Pane.


If a user is inactive for more than 12 weeks, the task submits a request to deprovision this user.

See how to change the inactivity period

  • Right-click the If account is inactive condition.
  • Click Edit Condition in the context menu.

  • Change the number of weeks according to your needs and click OK.

To deprovision a user the task executes the built-in Custom Command called Deprovision for this user. For instructions on how to customize this command, see Configure User Deprovisioning.
By default, a user is deprovisioned only after the operation is approved by the manager of the user or an owner of the Organizational Unit where the user is located.

See how to modify the approvers or disable approvals for the Deprovision action

  • Right-click the Execute custom command Deprovision action.
  • Click Edit Action in the context menu.
  • In the Execution Options section, use Add and Delete buttons to add and remove approvers from the list.
  • To disable approvals for the action, uncheck the Get approval for this action option.

  • When finished, click OK.
After the custom command is executed, the task marks this user as inactive. To mark a user as inactive, the task sets the value of the When Marked Inactive property to the current date/time (When Marked Inactive is a virtual property that is not stored in AD).

In a month after a user was deprovisioned, if the user has not been reprovisioned, the task submits a request to delete this user account.

See how to modify the approvers or disable approvals for the Delete User action

  • Right-click the Disable the User action and click Edit Action in the context menu.
  • In the Execution Options section, use Add and Delete buttons to add and remove approvers from the list.
  • To disable approvals for the action, uncheck the Get approval for this action option.

  • When finished, click OK.

By default, the task is executed for all users in all AD domains managed by Adaxes. If necessary, you can exclude some user accounts from the activity scope of the task.

To exclude users from the activity scope of the task, you need to select the Exclude the selection option in the Assignment Options dialog when adding objects to the activity scope of the task. In such a way you can exclude users located in a specific Organizational Unit, members of a specific group, users that belong to a Business Unit, individual users, etc.

For example, to exclude a specific user from the activity scope of the task, do the following:
  • Click the Add button located under the Activity Scope list.

  • In the Object Types drop-down box, check the User object type.

  • In the list of available AD objects, select the user you want to exclude.
  • Click Add.
  • In the Assignment Options dialog that opens, select the Exclude the selection option and click OK.

  • Click Save Changes.

Delegating Permissions

Hide Active Directory objects from users
Grant rights to create users
Grant rights to modify account options
Grant rights to modify AD group membership
Grant rights to reset passwords and unlock accounts
Grant rights to create and modify Business Units
Deny rights to delete users
Grant rights to execute Custom Commands
Grant rights to modify specific properties of AD objects
Grant rights to move users between OUs

Automating Daily Tasks

Automate user home directory creation
Relocate home directories after disabling users
Automatically add users to groups by department
Add users to a specific group when they are disabled
Automatically change group membership using scripts
Move newly created users to a specific OU
Request approval for user deletion
Run PowerShell script after creating a user
Automate Exchange mailboxes creation for new users
Schedule tasks for AD management
Automatically set Terminal Services Profile path for new users
Send e-mail on adding members to specific groups
Send initial password to newly created users via SMS
Delete inactive computers from Active Directory
Automatically deprovision inactive AD users

Simplifying Data Entry

Auto-populate the company name when creating users
Change template for auto-generating users' full name
Specify list of departments to avoid repetitive typing
Disallow specifying telephones without country code
Make Employee ID a required property & specify its format
Set default account options for creating users
Validate/modify user input using a script
Predefine selection of Exchange mailbox stores
Automatically set account expiration date for new users
Generate initial password on user creation
Automatically set users' address based on their office
Provide custom help and tips for AD object properties

Active Directory Management

View & manage AD objects collectively
Create a Custom Command
Rename multiple AD users with one operation
Reset passwords for multiple users
Import user accounts from a CSV file
Schedule import of users from a CSV file
Modify Terminal Services settings in bulk
Update user account options in bulk
Update multiple AD objects using PowerShell
View AD operations performed via Adaxes
Manage Fine-Grained Password Policies
Configure user deprovisioning

Web Interface Customization

Set custom logo and colors
Customize forms for user creation and editing
Customize Sign-In page and logon name options
Prevent users from viewing the Active Directory structure
Allow/deny access to the Web Interface
Disallow certain operations on Active Directory objects
Customize the Home page
Configure Home page actions
Configure the Active Directory pane
Customize Active Directory search
Put a custom message on the Change Password form
Hide specific Active Directory reports
Disable specific Web Interface components
Select the AD object types to be displayed in the UI
Manage Active Directory objects of a custom type
Configure columns in Active Directory object lists
Allow using templates for user creation
Create additional Web Interface sites

Self-Service

Configure Password Self-Service
Autoenroll users for Self-Password Reset
Allow users to modify specific properties of their accounts