We´re trying to implement an inactive account management process for Active Directory.
The requirement is:
· Identify accounts with no login activity for more than 90 days (using the lastLogonTimestamp, lastLogonDate, or any other suitable Active Directory attribute).
· Delete those accounts automatically from Active Directory
So my question is:
How can we achieve and implement it?
Is it actually possible to implement this use case using only UI configuration (Rapid Setup / Analytics / Batch Requests)?
Or is custom logic (Rules / Workflows / BeanShell scripting / Task definitions) required in IdentityIQ to properly evaluate inactivity based on timestamps?
You can implement the workflow as suggested by Harikrishna Tungala. Alternatively, there’s another approach,create a identity attribute named as lastLoginTimeStamp and create a rule that triggers based on the lastLogonTimestamp attribute. Then, Configure a Run Rule task to use this rule and schedule it to execute periodically ,this rule can identify and delete the required accounts.
i think you can do it what others have suggested you, and my siggestion would be possibly of writing a powershell script, which is deployed and scheduled on your iiq server, where you read the last login stamp, lastlogon data> 90 days, and then delete it directly.
This can be achieved efficiently in the below way:
You can create a new Identity Attribute as LastLoginTimeStamp and add the identity mAppings with the AD account attribute.
Create a Rule Runner task to check if the lastLoginTimestamp value is greater than 90. If it is greater than 90, get all the user list of such type. Loop through all the user and then create a AD Disable/Delete plan for each identity and call the LCM Provisioning workflow to process the plan.
You can resolve this task by using a Run Rule task. Additionally, you can configure the lastLogonTimestamp attribute as an identity attribute. Within the rule, apply a filter such as: retrieve identities where lastLogonTimestamp is present and inactive = false. This ensures that only active identities with a valid lastLogonTimestamp value are fetched, which helps improve system performance by reducing unnecessary processing.
You can also add this rule to the application’s customization rules. It will convert the lastLogonTimestamp value from an integer format into a readable date format.
@Nureen_Govan This definitely requires a customization.
You can write a customization rule where you can evaluate if the lastlogon is more than 90 days or not, yes then set an attribute like isInactive or you can have a powershell script which can calculate and set the attribute value. You can schedule this script using Windows Task Scheduler on one of your Domain Controllers.
If you are handling it in IIQ you’ll have an advantage of not creating or managing a new attribute in AD. In case you go with Powershell route, I would recommend only use the script to set the attribute but don’t disable it. Let IIQ take care of deletion for compliance perspective.
You can configure a lifecycle event scanning users with AD links and isInactive = true → triggers the workflow to delete the account.
Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
,
, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.