Share all details related to your problem, including any error messages you may have received.
Hello Everyone,
I want to create a Certification to revoke AD Access for those account that hasn’t logged in for past 2 years and this certification will be assigned to spadmin
My Questions:
What kind of certification should I create? I am thinking of Targeted/Manager Certification?
Will the AD Groups be removed if the AD Account Access is revoked through Certification. Or I need to write some custom Rules to remove these AD groups
Deleting an account deletes the groups, but disabling will NOT remove. Manager would be the ideal person and you will have to select certify items as ‘Accounts’. You can use Certification Events using a rule.
@j1241
Its totally depend on your requirement , manager review will give to option that item need to be reviewed by the manager and target certification will you more flexibility where you can choose reviewer based on your requirement .
In your case i think it need to be better review by the manager as they would be knowing if their reporte is termination or they really need access to AD and accordingly they can take action.
Action would be delete AD account until and unless you haven’t written any additional code to change the plan.
Try considering creating Policy for the same (Advance Policy in this case), where if the AD account lastLogon attribute is more than 2 years (based on your requirement), the account will get disabled and an work item is assigned to the manager, with policies you can also attach a workflow where in you could create an approval node followed by appropriate action based on the outcome of the approval. Although this would require you to write rules and configurea workflow (if needed) but this policy could be evaluated every ti.e the AD aggregation will execute.