With the help of Scheduled Tasks you can purge inactive user and computer accounts from Active Directory on a periodic basis. Adaxes provides built-in Scheduled Task Inactive Computer Deleter that locates unused computer accounts, disables them and then deletes them after 30 days. The disable and delete actions require approval from a computer owner, or an owner of the Organizational Unit where the computer account is located. By default, the Inactive Computer Deleter task is disabled. In this tutorial you'll learn how to customize and activate the task.
Launch Adaxes Administration Console.
Expand Adaxes service \ Configuration \ Scheduled Tasks \ Builtin and select Inactive Computer Deleter.
The actions performed by the Scheduled Task will be displayed on the right.
If a computer account is inactive for more than 12 weeks, the task disables the computer account and marks it as inactive. After a month, if the computer is still inactive and disabled, the task will delete the account from Active Directory.
To mark a computer as inactive, the task sets the value of the When Marked Inactive property to the current date/time. When Marked Inactive is a virtual property that is not stored in Active Directory and is available in Adaxes only.
To check for how long a computer has been marked as inactive, the task compares the date stored in the When Marked Inactive property with the current date.
If necessary, change the number of days you want the task to wait before deleting inactive computers.
Right-click the condition and select click Edit Condition in the context menu.
In the Condition Parameters section, click the button.
Specify how to calculate the date when a computer account must be deleted. For example, if you want the task to wait for a year before deleting accounts, specify minus - 1 - year.
Click OK two times.
By default, the task requests approval for the Disable Account and Delete Account actions. The actions must be approved by either an owner of the computer or an owner of the Organizational Unit where the computer is located. The owner is specified in the Managed By property of computer and Organizational Unit objects.
You can modify the list of approvers, or remove the approval step from the process.
Right-click the action and select Edit Action in the context menu.
At the bottom of the dialog, modify the list of approvers or uncheck the Get approval for this action checkbox to perform the action without approval.
If necessary, configure the Scheduled Task to perform other actions on inactive computers. For example, you may want the task to move inactive computers to a specific Organizational Unit.
Right-click the set of actions and click the Add Action in the context menu.
Select the Move the Computer action.
Specify the container or Organizational Unit where to move inactive computers.
By default, the Inactive Computer Deleter task is assigned to scope All Objects. It means it will be executed for all computer accounts in all domains managed by Adaxes.
You can exclude specific computers, groups, Organizational Units, Business Units and domains from the activity scope of the task. For example, if you don't want the task to be executed for computer accounts located in a specific Organizational Unit, you can exclude the Organizational Unit from the scope.
Click Add in the Activity Scope section.
Make sure objects of the desired type are displayed in the list.
Click the object you want to exclude.
In the Assignment Options dialog, select the Exclude option.
Alternatively, you can apply the task to specific Organizational Units, groups of computers, Business Units and domains. To do it, you need to delete the All Objects assignment from the activity scope, and then include the objects you need in the scope.
Right-click All Objects and select Delete in the context menu.
Click Add in the Activity Scope section.
Click the object you want to include in the scope.
Click Save changes.
By default, the Inactive Computer Deleter task is disabled.
To enable it, right-click it, point to All Tasks,
and click Enable.