Active Directory management & automation

Automatically Deprovision Inactive AD Users

To improve security and comply with regulatory requirements, it is necessary to handle inactive AD user accounts in a timely manner. Instead of disabling or deleting inactive user accounts, it is highly recommended to properly deprovision users and their data. For example, you may want to delete the home folder of a terminated user, forward the user's email to his/her manager, hide the user's mailbox from GAL, etc.

Using the Scheduled Tasks feature of Adaxes you can automate management of inactive user accounts in Active Directory. With the help of the built-in Scheduled Task called Inactive User Deleter you can automate the process of deprovisioning and further deletion of inactive user accounts. In this tutorial you'll learn how to customize the task and how to modify approval options for its execution.

If some undesired changes were made to a built-in Scheduled Task, you can discard all changes made to this task. To do this, right-click the task and click Restore to Initial State in the context menu.

Launch Adaxes Administration Console, expand Adaxes service \ Configuration \ Scheduled Tasks \ Builtin. Select the Inactive User Deleter task.


By default, the task is disabled. To enable the task, right-click it, point to All Tasks, and click Enable.


If necessary, modify actions and conditions of the task. The actions and conditions are displayed in the Result Pane.


If a user is inactive for more than 12 weeks, the task submits a request to deprovision this user.

See how to change the inactivity period

  • Right-click the If account is inactive condition.
  • Click Edit Condition in the context menu.

  • Change the number of weeks according to your needs and click OK.

To deprovision a user the task executes the built-in Custom Command called Deprovision for this user. For instructions on how to customize this command, see Configure User Deprovisioning.
By default, a user is deprovisioned only after the operation is approved by the manager of the user or an owner of the Organizational Unit where the user is located.

See how to modify the approvers or disable approvals for the Deprovision action

  • Right-click the Execute custom command Deprovision action.
  • Click Edit Action in the context menu.
  • In the Execution Options section, use Add and Delete buttons to add and remove approvers from the list.
  • To disable approvals for the action, uncheck the Get approval for this action option.

  • When finished, click OK.
After the custom command is executed, the task marks this user as inactive. To mark a user as inactive, the task sets the value of the When Marked Inactive property to the current date/time (When Marked Inactive is a virtual property that is not stored in AD).

In a month after a user was deprovisioned, if the user has not been reprovisioned, the task submits a request to delete this user account.

See how to modify the approvers or disable approvals for the Delete User action

  • Right-click the Disable the User action and click Edit Action in the context menu.
  • In the Execution Options section, use Add and Delete buttons to add and remove approvers from the list.
  • To disable approvals for the action, uncheck the Get approval for this action option.

  • When finished, click OK.

By default, the task is executed for all users in all AD domains managed by Adaxes. If necessary, you can exclude some user accounts from the activity scope of the task.

To exclude users from the activity scope of the task, you need to select the Exclude the selection option in the Assignment Options dialog when adding objects to the activity scope of the task. In such a way you can exclude users located in a specific Organizational Unit, members of a specific group, users that belong to a Business Unit, individual users, etc.

For example, to exclude a specific user from the activity scope of the task, do the following:
  • Click the Add button located under the Activity Scope list.

  • In the Object Types drop-down box, check the User object type.

  • In the list of available AD objects, select the user you want to exclude.
  • Click Add.
  • In the Assignment Options dialog that opens, select the Exclude the selection option and click OK.

  • Click Save Changes.
? Waiting

Progress status: Checking...