Views:

Applies To:

GroupID 8, 9, 10 - Synchronize

 Business Scenario:

We use GroupID Synchronize to provision user accounts in Active Directory from an HR database. When a user leaves the organization, the EmploymentStatus attribute for that user is updated as ‘Termed’. Is there any way to deprovision user accounts in Active Directory while stamping them with a time and date when they are disabled?

Solution:

Imanami GroupID provides a pseudo-attribute, 'Disable Account' with 'True' or 'False' as its possible values. We can use Synchronize to locate the user accounts in the HR database where EmploymentStatus is ‘Termed’, and then use the 'Disable Account' pseudo-attribute to disable them in Active Directory.

Steps to Perform this Task:

  1. In GroupID Management Console, expand the Synchronize node, right-click All Jobs, and then select New Job.
  2. On the Job Template page, select the Blank Job option and click Next.
  3. Select a source provider and then select Active Directory as the destination provider. Enter the connection settings and click Next.
  4. On the Sync Object Options page, select the required object type, keep the default settings, and click Next.
  5. On the Select Fields page, select the attribute that will serve as the primary key. In this scenario, I will be using EmployeeID. Also, select Description and Disable Account (pseudo-attribute) and click Next.

  6. Apply transformations on the Field Map(s) page. 

    • Set the destination field for 'Description' to Static. Add static text as “Disabled by GroupID  %Now%”.


       
    • Set the destination field for 'Disabled Account' to Static and set the static text as 'True'.

  7. Complete the job wizard. Then run the job and you will see the final results.

Reference:

GroupID Online Help topic: Transformations

Keywords: EmploymentStatus, Synchronize, deprovisioning, Disable Account, user
Comments (0)