Articles in this section

Print

(Legacy) Suspending users and groups

  • Updated
Follow

Content: 

Suspending a user

  1. Launch Active Directory Users and Computers

  2. Right-click the user you wish to suspend and choose Suspend

    Undosuspend.png

  3. Select the desired Policy Workflow options

    Note: For more information on User Suspend Policies, see the next section.

  4. Click Submit

  5. When prompted to view the Suspension Report click No

    suspend_report.png

 

Locating an object after suspension

Because objects can be moved during the suspension process, you may find it difficult at times to locate a suspended object. The Active Directory Users and Computers console does not automatically refresh the items being displayed even when you change between OUs. It is therefore important that you remember to manually refresh the screen when viewing an OU where suspended users moved. Active Directory Users and Computers also provides a Find command that will allow you to locate the object by name.

To Refresh the List of Objects shown in Active Directory Users and Computers

  1. Press [F5]

    -or-

    Right click the screen and choose Refresh

Using Find to locate a hard to find User or Group

  1. From the Access menu choose Find

  2. Type the name of the object and click Find Now

  3. Right-click the object and choose View Suspension Report

 

User suspension policies

To define suspension policy settings:

  1. Launch Active Directory Users and Computers

  2. Right-click the user you wish to suspend and right-click  Suspend

  3.  Suspend Object window with suspension policy settings will be displayed.

Prevent logon policy

This policy is designed to prevent the account from being used for authentication. It is recommended that you set the password to a random value so that if the account is re-enabled it will remain unusable until and unless an administrator resets the password to a known value.

preventlogon.png

Note: If your organization has a Self-Service Password Reset system it may be possible for a user to reset the password and use the account for authentication – it is therefore recommended that both Disabling and Setting the password to a random value are recommended.

 

Update attribute(s) policy

The properties of user accounts such as telephone number, user name password etc… are known as attributes. Because attributes can be used to grant group memberships or to assign Microsoft Claims it is a good idea to clear or set the value of the user attributes according to your organization’s requirements.

updateattributes.png

Adding or editing attributes to be updated during suspend

  1. Click Add if the object attribute is not on the already –or-  select an attribute on the list and click Edit

  2. Click Browse and select the attribute you wish to update during Suspension

  3. Click Clear Attribute to have the policy remove any values present during the suspension. -or- Click Set to a specific value if you wish to set value during the suspension. The Set to specified value field supports text you enter as well as the use of data tokens. (For information on Data tokens see the next section)

attributemodification.png

Data tokens

Data tokens can be used to insert the user name of the person who initiated the suspend operation or the current date and time when an object is suspended. The three primary tokens are initiator, date, and object.

$initiator - return initiator logon name (DOMAIN\Username)

$date("format"[,culture]) – returns the current date

Example $date("U") or $date("HH:mm:ss.ffffzzz",en-US)

$object.AttributeValue(ldapAttrName) - return string attribute of target object

Example $object.AttributeValue(i)

 

Relocate object policy

This policy determines the final location of the object after it is suspended. Most organizations create an OU where suspended or inactive accounts are stored so they are separated from active user accounts. It is important to keep in mind that the Active Directory Users and Computers console does not automatically refresh the contents of an OU  after the first time the OU is viewed. It may be necessary to refresh the target OU after a suspend operation has completed viewing objects that were relocated.

relocateobject.png

 

Remove memberships in groups policy

This policy records then clear the user’s group memberships. The recorded list of group memberships is used during Undo Suspend to add the user back into the original groups of which the user was a member.

In some environments that use Unix, Linux or MAC connectivity software, the user’s primary group may be changed. To ensure the group does not provide un-intended access to these systems setting the primary group to Domain Users is recommended.

removememberships.png

 

Object retention policy (requires Cayosoft Policy Manager™)

This policy sets a value on the user account object that can be read by the Cayosoft Policy Manager so that the Policy Manager knows when to permanently delete the object from the Active Directory. Deletion can occur after the configured number of days or on a specific date.

objectretention.png

Report storage

This policy allows determining the location of data that is stored for creating Suspension Reports as well as undoing suspend operations. The suspend data is very small in most cases it is only several kb so storing the data in AD is the recommended approach. As an alternative, you can store the data locally or on a share.

If you wish to store an HTML version of the Suspend Report during the suspend operation, you can choose the local location or share by selecting the Store HTML reports in folder option. In most cases, this is not necessary because the data is stored in AD and a report can be generated by right-clicking a suspended object and choosing View Suspend Report.

Note: Store report data for Undo Suspend with the object in AD is the recommended choice.

reportstorage.png

Restoring a suspended user (Undo Suspend)

  1. Locate the object to be restored:

    • If you know the location of the object you can browse to the Organizational Unite (OU) that contains the object and then select the object.

    • If you are unsure where the object is located, you can use the Find command in the Action menu, or on the Active Directory Users and Computers toolbar. Once you have located the object select the object.

  2. Right-click the object and choose Undo Suspend

    undosuspend.png

  1. Set the user’s password options that meet the desired requirements

  2. Select where the Undo Report data is to be stored (Store Undo Suspend data in AD is the recommended choice)

  3. Click Submit

 

Suspend a group

  1. Launch the Active Directory Users and Computers snap-in

  2. Right-click the user you wish to suspend and choose Suspend

    suspend_group.png

  1. Select the desired Policy Workflow options

    Note: For more information on Group Suspend Policies, see the next section.

  2. Click Submit

  3. When prompted to view the Suspension Report click Yes or No depending on the current requirements. The suspend report for this user will be available.

    suspend_report2.png

 

Group object suspension policies

Prevent group use policy

This policy prevents the group from being used for security or distribution list operations. This policy relies on the fact that when you convert a security group into a distribution group, the group SID is no longer put into the user’s token during authentication; with this, the group is not considered during security decisions. This policy may also hide the group from the Microsoft Exchange Global Address list preventing it from being used as a distribution group as well.

preventgroupuse.png

 

Update attribute(s) policy

The properties of user accounts such as telephone number, user name password etc… are known as attributes. Because attributes can be used to grant group memberships or to assign Microsoft Claims it is a good idea to clear or set the value of the user attributes according to your organization’s requirements.

updateattr.png

Adding or editing attributes to be updated during suspend

  1. Click Add if the object attribute is not on the already

    –or-

     select an attribute on the list and click Edit

  2. Click Browse and select the attribute you wish to update during Suspension

  3. Click Clear Attribute to have the policy remove any values present during the suspension

    -or-

    Click Set to specific value if you wish to set value during the suspension. The Set to specified value field supports text you enter as well as the use of data tokens. (For information on Data tokens see the next section)

    attribute_modify.png

Data tokens

Data tokens can be used to insert the user name of the person who initiated the suspend operation or the current date and time when an object is suspended. The three primary tokens are initiator, date and object.

$initiator - return initiator logon name (DOMAIN\Username) 

$date("format"[,culture]) – returns the current date

Example $date("U") or $date("HH:mm:ss.ffffzzz",en-US) 

$object.AttributeValue(ldapAttrName) - return string attribute of target object

Example $object.AttributeValue(i) 

 

Relocate object policy

This policy determines the final location of the object after it is suspended. Most organizations create an OU where suspended or inactive accounts are stored so they are separated from active user accounts. It is important to keep in mind that the Active Directory Users and Computers console does not automatically refresh the contents of an OU after the first time the OU is viewed. It may be necessary to refresh the target OU after a suspend operation has completed viewing objects that were relocated.

relocateobj2.png

Remove members of this group

This policy records then clear the members of this group.

removefromgroups.png

Remove Memberships in Groups

This policy records then clears the list of other groups into which this group has been given nested memberships. The recorded list of where the group was nested is used during Undo Suspend to nest the group back into the original groups of which the group was a member.

removemembers.png

Object retention policy (requires Cayosoft Policy Manager™)

This policy sets a value on the user account object that can be read by Cayosoft Policy Manager so that Policy Manager knows when to permanently delete the object from Active Directory. Deletion can occur after the configured number of days or on the specific date.

objectretention2.png

Report storage policy

This policy allows determining the location of data that is stored for creating Suspension Reports as well as undoing suspend operations. The suspend data is very small in most cases it is only several kb so storing the data in AD is the recommended approach. As an alternative you can store the data locally or on a share.

If you wish to store an HTML version of the Suspend Report during the suspend operation, you can choose the local location or a share by selecting the Store HTML reports in folder option. In most cases, this is not necessary because the data is stored in AD and a report can be generated by right-clicking a suspended object and choosing View Suspend Report.

Note: Store report data for Undo Suspend with the object in AD is the recommended choice.

reportstorage2.png

 

Restoring a group (Undo Suspend)

  1. Locate the object to be restored:

    • If you know the location of the object you can browse to the Organizational Unite (OU) that contains the object and then select the object.

    • If you are unsure where the object is located, you can use the Find command in the Action menu, or on the Active Directory Users and Computers toolbar. Once you have located the object select the object.

  2. Right-click the object and choose Undo Suspend

  1. Select where the Undo Report data is to be stored. (Store Undo Suspend data in AD is the recommended choice.)

  2. Click Submit

 

Viewing suspension reports

Immediately after you suspend a user or group you are presented with a dialog box that will ask you if you would like to view a report that details the actions taken during the suspension. By choosing Yes, you will launch the default web browser and the Suspension Report is displayed.

 

Viewing suspension reports for objects previously suspended

  1. Right-click the object on which you wish to report

  2. From the context menu choose View Suspend Report

 

Locating an object on which you wish to report

Because objects can be moved during the suspension process, you may find it difficult to locate a suspend object. The Active Directory Users and Computers console provides a Find option that will allow you to locate the object by name.

Using Find to locate a hard to find User or Group

  1. From the Access menu choose Find

  2. Type the name of the object and click Find Now

  3. Right-click the object and choose View Suspension Report

 

Related articles

Comments

0 comments

Please sign in to leave a comment.