Expired accounts

Hello everyone,

I'm trying to setup a dynamic group with an exclusion rule for user accounts that are expired.

The only way I could find, up to now, is to include the max expiry date as "hard-coded" in the LDAP query of the "custom search" rule: "(|(accountExpires>=132517692000000000)(accountExpires=0))"

Unfortunately, this workaround means that the date never changes until a manual edition off this LDAP query... which is not ideal.

Would anyone know a way to include this "accountExpires" critera in any smarter way?

Thanks a lot by advance for any idea!

Parents
  • Hi Sebastien

    Unfortunately the LDAP query is not dynamic, it is only set at the time of creation or modification of the membership rule, therefore you'd need some script which updates the membership rule every 24hrs. There's an example within the Wiki page which shows how to create a new DG (Create Dynamic Group in PowerShell - Wiki - Active Roles Community - One Identity Community) You'd also however have to add code to remove the no longer required membership rules.

    However, there are other things you could do to remove the need to script the update of the filter, by changing how you deal with expired accounts.

    For example use a automation workflow, this would search for any expired accounts, then either (or both) update <some attribute> to indicate its expired, or deprovisioning the user account. Then you'd just update the membership rule of the dynamic group to not include accounts with the <some attribute> set to <some value> and/or edsvaDeprovisioningStatus Is Not 1. The automation workflow would be set to run every <x> hours (where this could be every 24 hrs), then any account deprovisioning and/or had <some attribute> updated would be removed from the DG.

    Hope this help

    Stu

Reply Children
No Data