Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Remove User From AD Groups 14 days After Termination

Saikumar2328
New Contributor
New Contributor

Hi Team,

I need some information, have to remove the user from the Ad group memberships 14 days after termination,

Preconditions: 

  • User is inactive 
  • AD account is inactive 
  • Termdate is 14 days ago 

Please share any documentation available for this, share sample JSON if avaialble.

9 REPLIES 9

NM
Honored Contributor III
Honored Contributor III

Hi @Saikumar2328 you can either use actionable analytics or user update rule for the use case.

Amit_Malik
Valued Contributor II
Valued Contributor II

Hi @Saikumar2328 ,

You can use user update rule when status key is updated from 1 to 0 . Take actions --> Disable account on day 0 and de-provision access on day 14th.

This should be enough but if you want to have a report to find anomalies, you can create standard report to find users terminated (using end date) in past (diff greater than 14 days) and users are still inactive but are still having active account and access in AD.

Saviynt also provide a similar report ootb , something like , Inactive Users found with Active Accounts & Access , you can tailor it a bit to match your expectations.

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".

rushikeshvartak
All-Star
All-Star
  • When user is getting terminated, crate tasks for removing groups also
  • You can achieve same from User update rulerushikeshvartak_0-1724847679183.png

     


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

@rushikeshvartak - Do we have option to remove specific Ad groups and keep some groups active for inactive accounts.

For example user have 3 groups 

abc

def

cgh

we need to keep abc group only have to remove def and cgh for inactive accounts.

NM
Honored Contributor III
Honored Contributor III

Hi @Saikumar2328 then you have to use analytics to take care of the above requirement.

Is there any sample Analytic available for this requirement?

  • You can use enhanced query to discontinue task once created 

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

@rushikeshvartak - Is there any sample enhanced query for this task

SELECT at.taskkey              AS arstasks__primarykey,
      4               AS arstasks__status,
       at.provisioningcomments AS arstasks__provisioningcomments
FROM   arstasks AS at
       JOIN endpoints AS ep
         ON at.endpoint = ep.endpointkey
WHERE  ep.endpointname = 'ActiveDirectory'
       AND at.status = 8 limit 1; 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.