Configure User Deprovisioning


When an employee leaves, many steps must be taken to ensure the user is properly deprovisioned. Depending on your policies, it might be necessary to disable the user account, move it to a specific Organizational Unit, remove from security groups, hide from Exchange address lists, revoke Office 365 licenses, block access to Office 365 services, etc.

With the help of Custom Commands you can streamline the whole process to a single step. Adaxes provides built-in Custom Command Deprovision that is pre-configured to perform a set of typical deprovisioning operations. In this tutorial, you will learn how to customize the command to meet the needs of your specific environment.


  1. Launch Adaxes Administration Console.

    Expand Adaxes service \ Configuration \ Custom Commands \ Builtin and select Deprovision.


  2. The actions performed by the Custom Command will be displayed on the right.




    Delete the actions you don't need. Review and change the default settings of other actions.


  3. To add an action, right-click a set of actions, and select Add Action in the context menu.





    Example 1:  Move the user to a specific Organizational Unit.

    • Select the Move the User action.


    • In the Action Parameters section, specify the destination Organizational Unit and click OK.




    Example 2:  Move the user to the Organizational Unit with name Deprovisioned located in the user's domain.

    • Select the Move the User action.


    • In the Action Parameters section, click the button.


    • Activate the Template tab.


    • Enter OU=Deprovisioned,%adm-DomainDN% in the Template field.

      Value reference %adm-DomainDN% will be replaced with the distinguished name (DN) of the user's domain. For example, when deprovisioning a user from domain example.com, the user's account will be moved to OU=Deprovisioned,DC=example,DC=com.

      To move the user to an Organizational Unit located under the user's OU, use value reference %adm-ParentDN%.

      To insert a value reference, click the button.
    • Click OK.


    Example 3:  Remove the user from all groups.

    • Select the Run a program or PowerShell script action.


    • Click the Edit button to open the script editor.


    • Enter the following script:

      # Get the groups the user is a direct member of
      $groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
      
      # Get the primary group ID
      $primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
      
      foreach ($guidBytes in $groupGuidsBytes)
      {
          # Bind to the group
          $groupGuid = [Guid]$guidBytes
          $groupPath = "Adaxes://<GUID=$groupGuid>"
          $group = $Context.BindToObject($groupPath)
      
          # Skip the primary group
          if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
          {
              continue
          }
      
          # Remove the user from the group
          $group.Remove($Context.TargetObject.AdsPath)
      }

      For information on how to create scripts for Custom Commands, see Server-Side Scripting.


    • When done, click OK two times.


    Actions are executed sequentially according to their order in the set. To move an action up and down, select it, and use the      buttons.


  4. To execute an action only if certain conditions are met, you need to add the action to a separate set and assign the necessary conditions to it.

    • Click Add new action set.


    • To assign a condition to the new set, right-click it and select Add Condition in the context menu.


    • To add an action to the set, right-click it and select Add Action.



    Example 1:  Cancel the deprovisioning if the user's logon name is prefixed with an underscore (e.g. _service).



    Example 2:  Send a notification to the user's manager if the Manager property of the user account is not empty.

    To send an email to the user's manager, you need to use value reference %adm-ManagerEmail%.



    Example 3:  Request approval if the Employee Type property of the user account does not equal Subcontractor.



    Sets of actions are executed in a sequential order. To change the order, select a set and use the     buttons. To move the whole set, make sure no actions and conditions are selected.

  5. To modify the confirmation text for the command, click the Edit link located next to the Confirmation checkbox.

  6. When finished, click Save changes.

  7. To modify the description of the command, do the following:

    • Right-click the Custom Command and select Properties in the context menu.

    • Type description text in the Description field and click OK.

      The description is displayed in tooltips for the command.

See Also




Open tutorial filtering

Got questions?
Support Forum