Delete AD user at some HR event

Hi! I need to delete AD user when some conditions from HR are met (client will rely on AD garbage collector if some error happens). I think I can do it through an AD after operation rule and powershell, but before begining this way, anyone does know another way?

Hi Julian,
You should be able to achieve your requirement by using the before provisioning rule to change the enable operation to delete.

I believe you are disabling accounts in inactive/terminated LCS. The next step would be to create a new LCS. In this new LCS configure it to “Enable Accounts” on Account Configuration Options. So, whenever a user falls into this new LCS, IDN will send enable operation to the connector which will generate the provisioning plan and use before provisioning rule to modify the plan so that it will change the enable operation to delete.


In addition to your approach there could be couple of other ways to handle this:

  1. You can use the HR conditions to trigger a LCS change. You can configure this LCS to disable/delete the AD account. For delete operation you will need to use a Before Prov Rule to replace your disable to a delete operation.

  2. You can script a custom workflow with Identity Attributes Changed trigger or Source Account Updated trigger and then use Manage Accounts to Disable account. Within Before Prov rule replace disable to delete operation

1 Like

HI Sharvari and thanks. I should maintain both disable and delete operations, because they want to use disable in cases like vacation, medical license, etc, and delete only when people is gone from company. I think I will use the rule to take into account these distinct scenarios. I saw in the Manage Account the Delete Account option, but I guess it is like the manual delete from IDN console, which only removes account on IDN, until next aggregation.

Thanks Rakesh. This will make to loose the enable operation for everything right? For example, somecone goes on vacation. When return data is reached, I do need to enable AD account. As in fact, delete scenario is a result of a combo of attributes values, I have no option to use a rule. I was thinking using an after operation rule. For example, if HR attributes A and B have to have the value “'1” in order to user being deleted from AD, I will have to map them first into the identity profile, then sync them in AD source, and develop and after operation on wich if operation is modify, and attributes A and B are “1”, then call the powershell commando to delete user. Do you agree with my though? Thanks againd.

Within the before prov rule you can certainly retain the disable and delete operation both and based on your conditions decide which one should be executed.

Regarding the Delete action in Manage Accounts workflow that is only applicable to delimited file sources.

1 Like

Hi Julian,
Thank you for reply. All the above cases are been handled by different LCS. We created following LCS to accommodate the requirement.

  1. Prehire - User created 15 days prior. Disable AD account.
  2. Active - User actual start date. Enable AD account.
  3. Disabled - User leaves organization. Disable AD account.
  4. Delete - User is disabled for more than 90 days. Enable AD account and change operation to Delete.

You can create different LCS to handle your case. I would recommend us cloudLifecyclestate and add transform in such a way that it returns the state in which the user should be. This way you can easily manipulate without any issue’s in maintenance. If a new requirement comes you can always create a new LCS state and handle it.

Let me know if the above works for you.


This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.