AD account deletion using powershell commands in aftermodify rule

Hi all,
I want to delete the user in the AD after 90 days of their termination, I have Thought to implement it using new LCS and before provisioning rule Since the before provisioning rule need to be sent to the review our management was asking to go through some other option, According to my knowledge we can acheive it by writing the poershell script and using it in the after modify rule. As I was the fresher , I don’t know how to configure the powershell script for it and how to use the aftermodify rule i have gone through these links

https://community.sailpoint.com/t5/IdentityNow-Forum/Deleting-Active-Directory-Account-30-days-after-leaving/td-p/243479
But I was unable to understand them. Could any one provide me a reference such that, I can be able to understand the where to write the powershell script,what can be logic for the script, how to include it in the aftermodify rule and what are the mandatory steps to follow.
Thanks in advance.

With ISC, there are several ways to accomplish your objective. As you mentioned, you can write a custom before provisioning rule to change the operation to delete but it does require code review from SailPoint.

If you want to use a before provisioning rule, another option is to use the Services Standard Before Provisioning Rule. Once you install this rule into the tenant, you can add to your AD configuration to change the enable operation from the lifecycle state into a delete. In addition, there are a lot of other things that you can do with the Services Standard rule such as scrambling passwords and removing entitlements. The Services Standard rule does not require rule review from SailPoint. You can find the readme and the rule in the supporting documents section of the Mock Project.

https://community.sailpoint.com/t5/Working-With-Services-Knowledge/IdentityNow-Mock-Project/ta-p/208216

Now for the next option that you linked from the forum, the poster shared a PowerShell script that would delete accounts. The way he accomplished this was all disabled accounts are put into a particular disabled OU. His script runs as a scheduled task (from Windows Server) and looks for accounts that have not been modified in a certain time period and deletes them. This process does not interact with ISC.

If you wanted to use an After Modify rule as you suggested, you would have to have some value that would update at 90 days. For example, you could have an identity attribute that is account state where you use a transform to calculate whether the account should be active, disabled, or deleted. You can use attribute sync to push this to an attribute in Active Directory. Then your After Modify rule can detect that the attribute being modified is getting set to “Deleted” and delete the account.

Hope this helps,

Alicia

2 Likes

Hi Tulasi,

  #New attributes
  $nativeIdentity      = $requestObject.NativeIdentity
  $extAtt16            = Get-AttributeValueFromAccountRequest $requestObject "extensionAttribute16" #this is the attribute that changes after 90 days

  if ($extAtt16) { #this is the trigger for when that attribute changes, it will run the following snippet
    $user = Get-ADUser $nativeIdentity $logFile -Properties sAMAccountName
    if ($user) {
      $usersAMAccountName = $user.samaccountname

      Remove-ADUser -Identity $usersAMAccountName -Confirm:$false
      }
    }

That is some very basic code that need to go into the PS template where it says ‘Begin Client-provided code’.
Hope this helps,

Phil

Hi Alicia,
Thanks for ur reply, may I know can we remove few methods present in the service standard rule , and later install this rule to my tenant, is there such possibility.

Thanks Phil, I will try in this approach too.

If you want to use the Services Standard rule, you have to install the complete rule as it has a signature that SailPoint knows has been approved. However, only the functionality that you use in your configuration will be exercised. So, if you only configure the delete functionality, that will be all that is applied.

Alicia

thanks Alicia, it helps.

Another solution to this could be is to provision the accounts to a different specified OU in your AD, then have a powershell script clear out the users that have been in there for 90 days, with a task scheduler checking this daily.

That’s a great idea. Takes the processing weight off of Sailpoint.
I’m going to take a look at that today
Thanks @KiranSeehra

1 Like

Hi @Tulasi

From my experience, i would suggest to use Services Standard rule to achieve the deletion. You can already configure when the deletion should happen from source events triggers.

If you use the after powershell rule, then could be issue that ISC does not know that deletion took place and it can only determine it via aggregation.

So, better approach in my view is to use the cloud rule as it will run on the cloud and ISC will know that deletion has taken place.

Thank You.
Regards
Vikas.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.