• State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 3 answers
  • Subscribers 61 subscribers
  • Views 6836 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Roles Server Auto Deprovission

macoop
over 11 years ago

Hello all,

With the help of members I have created a managed unit which houses users who have not logged on for over 90 days.

and alos recieved help with script/ task to auto deprovision.

However, I have come across below situation.

User's are de-provisioned over night every night.

Desk get call from manager to re-provision an account, ready for user to start in the morning or (within 5 days) they do so as requested.

task runs over night and de-provisiones the account again

How can I exclude accounts that have been reprovisioned within the last 5 days.

  • 0 over 11 years ago

    How is your MU currently built?

  • 0 over 11 years ago

    John posed a good question. I would add by saying that this document shows how to compare dates when building a managed unit. You can create a VA that is updated with the deprovision date and store its value in the database. Then modify the script in the document to compare today's date versus the depro date VA, adding for the time period you need (5 days).

  • 0 over 11 years ago

    Thanks Greg/John,

    I created the Managed Unit using the script mentioned above, which runs prior to the deprovision script, so the MU is upto date.

    You mention using a VA to store date, would this have to store the date of un-deprovision, so the account is not re-added to MU for the next run, if within 5 days?

    The VA would need to be updated when the user is un-deprovisioned, not sure how I would go about this.

    The oher option I have is advise the desk to populate the manager and managed by attributes for users when un-deprovisioning, I have excluded user with these attributes populated.

    User with these attributes and not logged on for 90 will be handeld by workflow / attestation.

    Thanks again.

  • 0 over 11 years ago

    I would store the un-deprovisioned date in the VA, modify the MU script to exclude users who have a value in the VA that is within the past 5 days, and modify the Deprovision command to clear that VA.

  • 0 over 11 years ago

    oops, yes I meant the Un-Depro date would need to be stored in the VA

  • 0 over 6 years ago
    You can use the attribute edsvaUnDeprovisionCommand or edsvaUnDeprovisionStatus if 2 or 1 exits do not /exclude form de-provisioning user.
    so the undo deprovisioned users won't get deprovisioned again.