Hi All,
We have provisioning policy to disable and move AD account to disable OU. In sandbox when lifecycle state change to inactive I see a disable event and moving ad account to disable OU, in production when lifecycle state change to inactive I see disable event for 1 or 2 accounts those accounts moving to disabled OU remaining accounts I am not seeing disable event and not moving to disabled OU.
Any one seen this behavior?
Thank you
Disable AD and Move to Disable OU.txt (816 Bytes)
Are those accounts still shown as “enabled” in ISC?
Hi Nithesh,
When HR receive notice there is a different process first disable AD account and after 1 hours HR will terminated in their system and that will receive to ISC by that time frame there will be AD aggregation that will disable in ISC.
That’s the issue. If those accounts are aggregated from AD before corresponding identities getting updated from HR system, the AD accounts will be already in disabled state when the LCS changes. Hence no action will be taken by ISC to disable these already disabled accounts.
I see daily some accounts moving to disabled OU, but I will verify again. What other option we have to move to disabled OU.
Thank you
It seems like a competition between Account Aggregations of AD and HR system.
To handle such a situation, you could set up a Workflow that is triggered when LCS changes and then checks the account status in AD. If the account is already disabled, then enable the same and then using SSI BP rule, change the operation to disable as well as set the AC_NewParent
For business reason AD accounts are disabling right away through different process and don’t want to enable back.
They will not be enabled as you will be changing the operation back to disable in BP rule
Thank you Nithesh, do you have workflow template?
Hi Chaithanya,
With the recent identity profile update now for each identity state we have option to enable or disable account by selecting source, while testing to disable AD account for leaveofabsence users with the existing provisioning policy I attached it is disabling AD account and moving to disable OU. For leaveofabsence users we want to only disable AD account and for terminated users we want to disable and move AD account to disable OU.
Any suggestion to implement both the scenarios.
Thank you
Sorry I don’t have a template. But if you want to create one, community can help
Hello All,
Any suggestions on if AD account is disabled by other process before SP receive terminated from HR system how to move to disable OU and also if team member goes on leaveofabsence want to just disable AD account and not to move to disable OU.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.