You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Automated Active Directory Cleanup

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

As an administrator, you can leverage EmpowerID to automate the process of deactivating and retiring stale Active Directory user accounts based on your organization’s security policies. Rather than relying on time-consuming and potentially risky manual methods or scripts to mark accounts as inactive, disabling and deleting them based on policy, you can configure a few simple settings in EmpowerID. Not only does this remove the burden and risks associated with other methods, it provides a safety net to mitigate against accidental deletion of any user account by first marking the accounts for deactivation and notifying the managers of those users, as well as other administrators, that the accounts have been identified for cleanup. The managers and administrators must give approval before EmpowerID does anything further with them. If approved, EmpowerID moves those accounts into a designated OU within your Active Directory, where they remain until their deletion undergoes a multi-step approval process. Accounts not approved for deletion are moved back to their originating OU. Additionally, EmpowerID provides “mock run” capabilities that allow you to generate reports of what would occur in your environment using this feature.

The process involves a number of account store and resource system settings, EmpowerID system settings and permanent workflows. Each of these can be enabled and configured to run based on your own particular security needs. These settings and permanent workflows, and their function within the cleanup process include the following.

 Account Store Settings

  • Directory Clean Up Enabled — This setting specifies whether the Submit Account Terminations permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications are moved into a special OU within the external directory and disabled.

  • Report Only Mode (No Changes) — When enabled, EmpowerID generates a report of what the Directory Clean Up process would do if it was fully implemented. The process itself is ignored and all accounts are set to Termination Pending.

  • OU to Move Stale Accounts — Specifies the external directory in which to move accounts marked for termination.

 Resource System Settings

  • ApprovalApproverManagementRoleGUID — This setting specifies the GUID of the Management Role containing people who should receive notification that they need to approve the accounts selected for termination.

  • SubmitAccountTerminationsApprovalInitiatorPersonID — This setting specifies the PersonID of the EmpowerID Person used to approve account terminations.

  • TaskApprovalPendingStatus — This setting is a Boolean that specifies whether a task for the account store is pending approval. The value is set by the Submit Account Terminations workflow when a task has been submitted for approval. This prevents the task from being created more than one time.

  • TerminationAccountAdvancedInitiatorPersonID — Specifies the PersonID of the EmpowerID Person used to initiate the TerminateAccountAdvanced workflow. This workflow is used by the EmpowerID system to terminate all people submitted to it. As a best practice, the Person account you use should not belong to an actual EmpowerID user.

  • TerminationNotProcessedSetGroupGUID — Specifies the GUID of the SetGroup containing all user accounts to be be moved and disabled.

  • TerminationBeforeProcessingSetGroupGUID — Specifies the GUID of the SetGroup containing all people needing to receive notification of a pending move and disabling of a user account.

  • TerminationProcessedSetGroupGUID — Specifies the GUID of the SetGroup containing all user accounts to be terminated.

  • ThresholdOnAccounts — Specifies the maximum number of user accounts that can be processed at a given time.

 Workflows

  • Submit Account Terminations — This is a permanent workflow that claims user accounts meeting the criteria for cleanup in account stores (managed external user directories) where CleanUpEnabled is set to true. The workflow processes the claimed accounts based on the values given to the following parameters.

    • AdminManagementRoleGuids

    • DeleteAccountXDaysAfterMove

    • DisableAccountOnMove — This parameter takes a Boolean value of true or false. When set to true, the workflow disables the accounts when moved into the specified OU.

    • EmailTemplateAdminPreMoveNotification — This parameter specifies the email to be used when notifying admins that one or move user accounts have been selected to be moved

    • EmailTemplateAdminMoveNotification — This parameter specifies the email template

    • EmailTemplateManagerPreMoveNotification — This parameter specifies the email template

    • EmailTemplateManagerMoveNotification — This parameter specifies the email template

    • AdminManagementRoleGuids

    • EmailTemplateManagerPreMoveNotification

    • EmailTemplateAdminPreMoveNotification

    • EmailXDaysBeforeMove — This parameter specifies the email template

    • MoveAccountXDaysDisabled — This parameter specifies the email template

    • MoveAccountXDaysNoLogin — This parameter specifies the email template

  • Submit Account Termination Approval — This workflow sends notifications to managers and other administrators that certain user accounts within an account store have been marked for deactivation. If deactivation is approved, the workflow disables those accounts and moves them to the designated OU.

  • Terminate Account Advanced — This workflow terminates user accounts from the external directory.

  • No labels