Problem

How to perform the deletion of physical home directory through SailPoint ISC automated leavers process. This article will provide you a Design Approach for Deleting Home Directory in AD through SailPoint ISC

Diagnosis

In the world of Identity Governance, we deal with JOINERS/MOVERS/LEAVERS process in an automated way where during the LEAVERS flow, we not only DELETE the AD account for the users but if there is any Home Directory associated with it, then, we have to make sure that the home directory folder which is physically created is also deleted.

Solution

Flow Diagram

Design Approach for Deleting Home Directory Prior to AD Account Deletion3880×1480 94.4 KB

Algorithm Steps

This algorithm outlines the logic for enabling the Home Directory Deletion Prior to AD account deletion is as follows.

Pre-Requisites

1. As a pre-requisite make sure you know the organization policy for deleting home directory in Home Drive Location.

2. Connectivity with AD is established

3. IQ Service is up and running

4. AD source is integrated with SailPoint ISC

Development

1. Make sure there is a LCS state in your respective identity profile named as “delete” or anything else as per your agreement. Inside the respective “delete” LCS state, you need to configure “Active Directory” source inside “Settings for previous Accounts” à “Delete Accounts” section.

2. As soon as identity LCS changes to delete, the AD – delete account request will be raised to AD

3. From the AD Before Delete Connector Rule, we will call the PowerShell script which will perform the Home Directory deletion in Home Drive.

   1. It takes the SamAccountName as input from Provisioning Plan of Account Creation.
   2. Also, Home Directory Path is taken as input from Get-User API inside the PowerShell Script

4. Home Directory is deleted for the respective user.

Key Technical Considerations for your Article

1. The Corporate Policy for Home Directory Deletion is known to you.