AD account - deprovisioning

Hello,

We are currently having a connector to AD and AD accounts gets created through IDN as birthright accounts. However, there are some AD accounts that are created outside of IDN (example : local admin accounts xyz-LA accounts) manually. Can IDN de-provision these AD accounts that were not provisioned through IDN when a user is terminated?

Thanks,
Lakshmi.

Hi @Laks1 ,
Yes ISC can deprovision those accounts as well. You will need a beforeProvisioning rule to remove those entitlements.

2 Likes

Hi @Laks1,

Is the manually created AD account correlated to an identity (For example, to an authoritative source)? then yes, IDN can deprovision these. But if an identity has more than one AD account correlated (coming from the same AD source), then there will be an issue because IDN does not know which account to provision/deprovision.

To handle multiple account issue, you would need to create a new AD source for managing those. For example, if an identity has a regular AD account and an Admin AD account, you will have to create 2 seperate AD sources (1 for regular accounts, and 1 for Admin accounts). Hope this helps!

When you say local admin accounts. Are these some service accounts created for a user or an admin account. When you say you want to deprovision this accounts when user is terminated. Do you want to terminate his regular and admin account (assuming this is been created manually)? Can you share more details. Above suggestion might be applicate if the answer are yes.

Hi

Except domain user entitlement rest of all entitlements can remove.
As @gourab said you can use BP rule of you can also use workflow to remove the entitlements.

Thanks,
Siva.K

1 Like

Yes, both regular and admin accounts needs to be disabled on AD.

Okay if you have both regular and admin accounts then you need to create two AD sources using filter criteria. A sample filter criteria could be like this. If you have employeeType in the AD account

(&(objectCategory=person)(objectClass=user)(employeeType=A))

Lets says “AD for Human” will bring in your regular AD users and “AD for Admins” will bring in your admin AD users. You can correlate the accounts to the regular identity and add both the sources in inactive lifecycle state. When the regular user is terminated from SOT then both the accounts will be disabled.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.