• State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 6636 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Managed Units don't show deprovisioned users and ARS policies do not apply to deprovisioned users

Lee Andrews
over 6 years ago

In the same way as you can change the way dynamic groups can contain non mail enabled accounts why can't we choose if a MU contains deprovisioned accounts. 

It can be limiting that ARS effectively ignores deprovisioned accounts. 

I have policies in place to help ( prevent ) the SD doing something they shouldn't like enable an account HR have marked as a leaver but once the account is deprovisioned these policies no longer work so the SD can enable an account.

Also I have teams who's only access is via the Managed Unit - if they deprovision a user account then it becomes invisible to them as it can no longer be a member of the Managed Unit.  If my query for the MU includes a filter to locate deprovisioned users then ideally teh MU should display the users.

Parents
  • 0 over 6 years ago
    My script works fine on all accounts that have not been deprovisioned - This was just the event handler, Get-Value is one of the library best practice functions Quest used to provide ( not included in the snippet I posted ), not sure if teh library functions are still provided or listed in the SDK but these scripts go back 7 years and have been working fine until someone decided to enable a deprovisioned account recently.

    Thanks for discovering that Deprovision Policies still fire on deprovisioned accounts - this makes such sense now that I think about it and it opens up a whole new smorgasbord of scripting opportunities - I still love this products flexibility and ease with which it can be customized and cajoled into working Identity Magic :-)
Reply
  • 0 over 6 years ago
    My script works fine on all accounts that have not been deprovisioned - This was just the event handler, Get-Value is one of the library best practice functions Quest used to provide ( not included in the snippet I posted ), not sure if teh library functions are still provided or listed in the SDK but these scripts go back 7 years and have been working fine until someone decided to enable a deprovisioned account recently.

    Thanks for discovering that Deprovision Policies still fire on deprovisioned accounts - this makes such sense now that I think about it and it opens up a whole new smorgasbord of scripting opportunities - I still love this products flexibility and ease with which it can be customized and cajoled into working Identity Magic :-)
Children
No Data