Delete Active Directory Accounts after 30 days

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hello,

I have an inactive LifeCycle State that disable the sources accounts including active directory when the user is terminated from the authoritative source.
Now, I need to delete the AD accounts after 30 days of being disabled. Is there any out of the box implementation for this requirement?

Regards,
Ahmed

2

Hi @AhmedHisham7

Welcome to SailPoint developer community.

1. Before Provisioning Rule

  • Have an extended attribute or description that can be used to detect a user is just disabled or ready to be deleted.

  • For example, description. You can update it as disabled by IdentityNow after end date.

  • After end date + 30 days, you can update the description to delete

  • Enable attribute sync for description attribute.

  • In your Before Provisioning Rule, check description attribute in account request. If it has delete then change your account request to delete operation.

2. Schedule script in IQ Service

  • You can pull users whose end date was 30 days back
  • Delete AD account using Remove-ADUser command.
  • But the problem with this approach is, if user has any AD related manual requested AccessProfiles/Roles, AD account will be created again. You should go for certification campaign to remove all the access of user after end date.

Thanks
Krish

1 Like
3

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.