Automatically Deprovision Inactive AD Users


With the help of Scheduled Tasks you can automate the management of inactive user and computer accounts in Active Directory. Adaxes provides built-in Scheduled Task Inactive User Deleter that locates inactive users, deprovisions them and then deletes them after 30 days. The Deprovision and Delete actions require approval from the user's manager, or an owner of the Organizational Unit where the user account is located. By default, the Inactive User Deleter task is disabled. In this tutorial you'll learn how to customize and activate the task.


  1. Launch Adaxes Administration Console.

    Expand Adaxes service \ Configuration \ Scheduled Tasks \ Builtin and select Inactive User Deleter.


  2. The actions performed by the Scheduled Task will be displayed on the right.




    If a user is inactive for more than 12 weeks, the task deprovisions the user account and marks it as inactive. After a month, if the user is still inactive, the task will delete the user account from Active Directory.



    To mark a user as inactive, the task sets the value of the When Marked Inactive property to the current date/time. When Marked Inactive is a virtual property that is not stored in Active Directory and is available in Adaxes only.


    To check for how long a user has been marked as inactive, the task compares the date stored in the When Marked Inactive property with the current date.

    If necessary, change the number of days you want the task to wait before deleting inactive users.

    • Right-click the condition and select click Edit Condition in the context menu.


    • In the Condition Parameters section, click the button.


    • Specify how to calculate the date when a user account must be deleted. For example, if you want the task to wait for a year before deleting user accounts, specify minus - 1 - year.


    • Click OK two times.




    Deprovisioning

    To deprovision users, the task executes built-in Custom Command Deprovision. For instructions on how to customize the command, see Configure User Deprovisioning.




    Approvals

    By default, the task requests approval for the Deprovision and Delete actions. The actions must be approved by either the manager of the user, or by an owner of the Organizational Unit where the user account is located. The manager is specified in the Manager property of user accounts, the owner is specified in the Managed By property of Organizational Units.

    You can modify the list of approvers, or remove the approval step from the process.

    • Right-click the action and select Edit Action in the context menu.


    • At the bottom of the dialog, modify the list of approvers or uncheck the Get approval for this action checkbox to perform the action without approval.


    • Click OK.


  3. By default, the Inactive User Deleter task is assigned to scope All Objects. It means it will be executed for all user accounts in all domains managed by Adaxes.


    You can exclude specific users, groups, Organizational Units, Business Units and domains from the activity scope of the task. For example, if you don't want the task to be executed for user accounts located in a specific Organizational Unit, you can exclude the Organizational Unit from the scope.

    • Click Add in the Activity Scope section.


    • Make sure objects of the desired type are displayed in the list.


    • Click the object you want to exclude.


    • In the Assignment Options dialog, select the Exclude option.


    • Click OK.

    Alternatively, you can apply the task to specific groups, Organizational Units, Business Units and domains. To do it, you need to delete the All Objects assignment from the activity scope, and then include the objects you need in the scope.

    • Right-click All Objects and select Delete in the context menu.


    • Click Add in the Activity Scope section.


    • Click the object you want to include in the scope.


    • Click OK.
  4. Click Save changes.

  5. By default, the Inactive User Deleter task is disabled. To enable it, right-click it, point to All Tasks, and click Enable.

Any changes made to built-in Scheduled Tasks can be discarded. To do it, right-click a Scheduled Task and click Restore to Initial State in the context menu.
Open tutorial filtering

Got questions?
Support Forum