• State Suggested Answer
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 94 subscribers
  • Views 4095 views
  • Users 0 members are here
Options
Related

AD Admin account to be disabled when employee quits

timo.parkka
over 4 years ago

I have case where customer would like to disable AD Admin accounts when person is left.

There are currently lot of admin accounts created directly in AD, first we would need to map them to identity, but we don't want to update information / birth rights to them. We just would need to disable those accounts when person is left. Persons do also have another AD account which they use in daily life, but those admin accounts are used to sign shared servers etc.

What is the preferred way to handle this kind of  scenario?

  • 0 over 4 years ago in reply to timo.parkka

    Open the mapping of the user. The mapping rule could have custom "Key resolution by reference"-property on the OneIM side. This should point to the base property UID_Person. Then you need to use some property as the search property. The search property is used to search the corresponding person from the person table. 

    Then you map this custom property with the property that gives the value for the search property from active directory. Here might be needed some parsing depending on which property used as the search property.

    Your goal is to use this mapping only for the administrative accounts. Therefore a condition is needed. It could be something like Right.cn like 'adm_%'.

    Then everything is set and synchronizing the environment will fill the UID_Person fields of the administrative accounts.

    I would not encourage the custom process option, because it is quite straightforward with the Synchronization editor.

  • 0 over 4 years ago in reply to Tomi Kääriäinen

    One thing that I don't understand is the difference between doing the mapping via Synchronization editor and doing it in manager tool (domain search criteria for employee assignment)?

  • 0 over 4 years ago in reply to timo.parkka

    There are two different mechanism behind these. 

    1. For the mapping in the Synchronization editor the logic is in the synchronization editor. This logic comes in to use with each synchronization.

    2. The domain search criteria is uses the logic from the script ADS_PersonAuto_Mapping_ADSAccount. Use of this logic may be configured with the configuration parameters and it is triggered as an post process after a syncrhonization that runs through job service.

    By the way you could as well customize the script ADS_PersonAuto_Mapping_ADSAccount to solve your case.

  • 0 over 4 years ago in reply to Tomi Kääriäinen

    Now when I have mapped the admin account with person object, and then person gets account defintion it links that with admin account. How I can prevent the admin account from getting the account defintion?