When employees leave an organization, their Active Directory account needs to be cleaned up and secured. The employees’ user account must be protected and, after a while, purged from the system. We suggest that all separated employees’ user accounts be disabled and moved to a secure organizational unit (OU). When appropriate, the user accounts’ group membership should also be removed. (NOTE: Making a screen capture of the group membership is a good idea before doing this!)
Often, managers and other coworkers need to access emails and other resources owned by the user account, so the account must remain intact. Since the user acccount can’t be immediately deleted, there might be other systems, such as ADSelfService Plus, Office 365, and more that need to have that user account deactivated so it is no longer taking up a license.
With regard to ADSelfService Plus, you can either have the Super Admin or an Operator (both types of technicians) unenroll user accounts. The Super Admin has this privilege by default, which makes sense as a Super Admin. However, the Operator does not have this capability. In order for you to allow Operators to disenroll (deactivate) user accounts, the following steps must be performed:
- Log on to ADSelfService Plus as a Super Admin.
- Access the Technicians option under the Configuration tab, then the Administrative Tools From there, select the Advanced button to display the screen in Figure 1.
Figure 1. Advanced options for configuring technicians.
For the Select the Role drop down box, select Operator and then check the “Allow technician to disenroll users from ‘Enrolled Users’ report” box.
To disenroll users, the technician can follow these steps:
- Click the Reports tab > Enrollment Report > Enrolled Users Report.
- Search for the respective user, then check the box next to their name.
- Click the Disenroll button at the top of the report.
Note: Once a user has been disenrolled, they can still log in to the ADSelfService Plus portal. However, to reset their password or unlock their account through ADSelfService Plus, they’ll need to enroll again.
Freeing up licenses for all products is a key monetary consideration for all separated employees’ user accounts.
If you currently do not have ADSelfService Plus and want to test it out, you can download it here. Keep in mind that our Password Expiration Notification feature is free for unlimited users!
Any limited to user based on ou.
Might not be a bad idea to add a brief mention of how the technician would actually go about disenrolling a user.
Thanks for the feedback, Essam. Those steps have been added to the blog.