Automatically deprovision inactive users

With the help of scheduled tasks you can automate the management of inactive user and computer accounts. Adaxes provides a built-in scheduled task, Inactive user deleter that locates inactive users, deprovisions them and then deletes them after 30 days. The Deprovision and Delete actions require approval from the user's manager, or any owner of the organizational unit where the user account is located. By default, the Inactive user deleter task is disabled. In this tutorial you will learn how to customize and activate the task.

  1. Launch Adaxes Administration console.

     How { #collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand Adaxes service \ Configuration \ Scheduled Tasks \ Builtin and select Inactive user deleter.

  3. The actions performed by the scheduled task will be displayed on the right.

    If a user is inactive for more than 12 weeks, the task deprovisions the user account and marks it as inactive. After a month, if the user is still inactive, the task will delete the user account.

    To mark a user as inactive, the task sets the value of the When Marked Inactive property to the current date/time. When Marked Inactive is a virtual property that is available in Adaxes only.

    To check for how long a user has been marked as inactive, the task compares the date stored in the When Marked Inactive property with the current date.

    If necessary, change the number of days you want the task to wait before deleting inactive users.

     How { #howto_change_days_wait}
    • Right-click the condition and then click Edit Condition in the context menu.

    • In the Condition Parameters section, click the button.

    • Specify how to calculate the date when a user account must be deleted. For example, if you want the task to wait for a year before deleting user accounts, specify minus - 1 year.

    • Click OK two times.

    Deprovisioning

    To deprovision users, the task executes built-in custom command Deprovision. For instructions on how to customize the command, see Configure user deprovisioning.

    Approvals

    By default, the task requests approval for the Deprovision and Delete actions. The actions must be approved by either the manager of the user, or by any owner of the organizational unit where the user account is located. The manager is specified in the Manager property of user accounts. For details about object ownership in Adaxes, see Object owners.

    You can modify the list of approvers, or remove the approval step from the process.

     How { #howto_configureapprovals}
    • Right-click the action and then click Edit Action in the context menu.

    • At the bottom of the dialog, modify the list of approvers or clear the Get approval for this action checkbox to perform the action without approval.

    • Click OK.

  4. By default, the Inactive user deleter task is assigned to the All Objects scope. It means it will be executed for all user accounts in all domains managed by Adaxes.

    You can exclude specific users, groups, organizational units, business units and domains from the activity scope of the task. For example, if you don't want the task to be executed for user accounts located in a specific organizational unit, you can exclude the organizational unit from the scope.

     Step by step { #exclude_scope}
    • In the Activity Scope section, click Add.

    • Make sure objects of the desired type are displayed in the list.

    • Click the object you want to exclude.

    • In the Assignment Options dialog, select Exclude the selection.

    • Click OK.

    Alternatively, you can apply the task to specific groups, organizational units, business units and domains. To do it, delete the All Objects assignment from the activity scope, and then add the objects you need.

     Step by step { #alternative_assignment}
    • Right-click All Objects, and then click Delete in the context menu.

    • In the Activity Scope section, click Add.

    • Click the object you want to include in the scope.

    • Click OK.

  5. Click Save changes.

  6. By default, the Inactive user deleter task is disabled. To enable the task, right-click it, point to All Tasks, and click Enable.

Any changes made to built-in scheduled tasks can be discarded. To do it, right-click a scheduled task and then click Restore to Initial State in the context menu.