ADOneAgent-Commands-Actions-ADExitStrategy-icon Active Directory Exit Strategy

<< Click to view the table of contents >>

Navigation:  ADOne Agent > Commands > Actions >

ADOneAgent-Commands-Actions-ADExitStrategy-icon Active Directory Exit Strategy

Allows automated deactivation or deletion of user accounts.


With this action it is possible to define a logic for the deactivation and subsequent deletion of user accounts, any data in the folder in the file system assigned to the HomeDirectory attribute can also be deleted. When the scheduled conditions are met, the procedure can automatically notify users by e-mail of the deactivation of their accounts, and after the scheduled time periods have elapsed, deactivation and/or deletion of accounts and any personal data takes effect.


Changes in Active directory and notifications performed by this procedure are stored in the Windows event log and displayed in the Event log window.



Active Directory Exit Strategy Workflow





Active Directory exit strategy wizard



Action description: this is descriptive text that appears in the main grid, the description is also used by the software as an identifier of the action and therefore no duplicates are allowed for this field.


Credentials...: must contain a set of credentials that are used by the service to modify or delete accounts in Active Directory. Domain Admins group membership is required, plus if the HomeDirectory attribute is used for users, Full Control privileges to user folders are also required. It is recommended to create a service account, dedicated to this type of operation and not to use people accounts. For more information on creating and managing service accounts see Manage Credentials.


Scheduler waiting time...: is the time that must elapse after the execution of the action is completed, during the wait time no action is performed and the service communicates with the user interface only to show the remaining time with a countdown.


Activate this action...: activates the action in the action execution sequence and then when the service is activated with the Execute now command, the action will be processed in the scheduled sequence according to the order of the OE property (execution order) in the main grid.


The exit strategy will be applied in this area: as the scope you can specify the whole domain, a group or an organizational unit, the exit strategy will be valid only if the users are included in that scope.


Start exit strategy when: this option establishes the trigger condition that starts the notification procedure of account deactivation and deletion. you can specify a group, an organizational unit or a number of days of account inactivity.


Deactivate the account after days: If you choose this option, accounts will be deactivated after the set number of days from the trigger condition.


Permanently delete account and data from the "HomePath" folder after days: If you choose this option the accounts will be permanently deleted including the folder in the file system set in the HomeDirecrory attribute. You must specify the number of days to elapse before deletion from the trigger condition.





Changing trigger conditions

The Active Directory exit strategy is considered valid within a specific scope and trigger condition. During the execution of the procedure, which can remain active for a long time, it is possible that the scope or trigger condition for some users is no longer valid. If this happens the procedure stops and the count of days to deactivation or deletion is lost, so if the user later returns to the appropriate scope/trigger condition the procedure will start again from the beginning.


Service interruptions

If an exit strategy is in progress and the ADOne Agent service is shut down for more than one day, the next time the service is restarted, the algorithm that counts the days to deactivation or elimination will not add the elapsed time during the shutdown and thus the procedure will be deferred by the elapsed time during the service interruption.


When users are in the expected scope and meet the trigger condition, the exit strategy begins and users are notified with a mail message explaining that their account is about to be deactivated or deleted. One of the following options should be configured to send the automated mail message from the service.


Standard mail server: configuration of the SMTP server that will be used by the service to send the mail. An account with authorization to perform mail sending should be used, if using an Exchange Online account in Microsoft 365 the SMTP Authentication option should be enabled in the tenant's user properties, for more information on this see the Microsoft online documentation.


SendGrid Server: uses the platform for sending mail and the appropriate API KEY for the service should be entered.


Do not send notifications before the execution of the exit strategy: if this option is used, users will not be notified by e-mail that the procedure of deactivation or deletion of their account is in progress. It is recommended to use this option only if users do not have email, or if accounts do not contain personal data.


In this section you can compose different e-mail messages that will be sent when a specific number of days expire before the account is deactivated or deleted.


With this list it is possible to exclude organizational units, users or groups from the exit strategy; users or groups entered here will be ignored by the deactivation/deletion procedure even if in the configuration they are in the intended scope and meet the trigger condition.


See also: Actions - Manage credentials