(Legacy) Suspending User Account
IMPORTANT: Starting from the version 10.3, the Suspend Tool was migrated to the Cayosoft Administrator Service with significantly improved functionality. All default suspend configuration settings are now in the Administrator Console in the new Suspend Configurations node.
More important than hybrid user account provisioning is hybrid account deprovisioning.
Incidents such as the Target and OPM security breaches prove that mistakes made with user deprovisioning can be catastrophic. Cayosoft Administrator also provides hybrid account deprovisioning to secure the account either permanently or temporarily, immediately on at a specific date.
Cayosoft Suspend Policies
Active Directory Suspend Policy
Create a Suspend Policy
Install Cayosoft Suspend on the computer where Cayosoft Administrator is installed.
Open the Active Directory Users and Computers snap-in.
Right click a test account and choose Suspend from the menu.
Set the options you would like to use as defaults when a suspension is initiated from Cayosoft Administrator.
Click Export Settings at the top right.
Click the Create Settings file.
Use the name USER_CayosoftSuspendDefaultSettings.xml.
Click Save.
Click Close.
Click Submit to suspend a user.
When prompted to review the suspend report, click Yes.
Verify the policy performed the tasks as needed.
Close the Suspend Report.
Continue to the next section to create the Undo Suspend process.
Create an Undo Suspend Policy
Locate the test account that was suspended in the previous section.
Right click a test account and choose Undo Suspend from the menu.
Set the options you would like to use as defaults when undoing a suspension is initiated from Cayosoft Administrator.
Click Export Settings at the top right.
Select the Create Settings file.
Use the name USER_UNDO_CayosoftSuspendDefaultSettings.xml
Click Save.
Click Close.
Click Submit to undo suspend the user.
When prompted to review the suspend report, click Yes.
Verify the policy performed the tasks as needed.
Close the Suspend Report.
Continue to the next section to create the Undo Suspend process.
Configure Account Suspension Policies
In the Cayosoft Administrator console, navigate to Cayosoft Suspend Policies, Expandable Section in the Active Directory extension.
Click Select to the right of the Default user suspend policy field.
Select the USER_CayosoftSuspendDefaultSettings.xml file you created above.
Click Open.
Click Select to the right of the Default user undo-suspend policy field.
Office 365 User Suspend Policy
Configure the Office 365 Suspend Policy
In the Cayosoft Administrator Console, navigate to Suspend | Office 365 user.
Configure the policy as needed.
Click Save.
Simultaneously suspending AD & Office 365 users in the Cayosoft Web Portal
Suspending users can be performed using several methods. Manually in the Active Directory Users and Computers (ADUC) console, manually using the Web Portal, or automatically in the Cayosoft Administrator console using Rules & Runbooks.
When manually suspending users in the Web Portal, you need to configure the Suspend Action to suspend both the Active Directory User and then the associated Office 365 User.
Configure Suspend to Suspend Office Users after Suspend an AD User
In the Cayosoft Administrator console, navigate to the Suspend User Web Action.
Set the Suspend related Office 365 User option to YES.
Click Save Changes.
Optionally, you can specify date and time of suspension. For details, see Configuration of scheduled suspend and undo Suspend rules.
Rule: Text File | Suspend AD Users
This rule will query the specified text file data source that is in a comma separated variable format (CSV then using the Anchor attribute locate and Suspend user accounts according to the Action Section settings.
CSV files can be created in Microsoft Excel and saved as a CSV file or using Notepad. (Under Query, select Import CSV File then click Edit. Select the file containing the users to be created.) The Query's source text file requires the following CSV (comma separated value) format:
FirstName,LastName,Initials,Description,Department,Title,Office,EmployeeType,OfficePhone,Mo eeNumber,Company
Adam,Arturo,AA,New York Accounting Demo User,Accounting,Accountant,New York,FT,1- 212-555-
0272,,3890,OrderByThumb Inc.Add the Text File | Suspend AD Users Rule to a Runbook
Select or create a new runbook.
In the Sequence section, click New Rule.
Complete the wizard.
| Setting name | Description |
|---|---|
| Action section | |
| Select Data Source | Specifies the text file to be imported. The […] button allows the user to browse for the file and the Create/Edit button allows creates or allows editing of the file in the Cayosoft Administrator data source editor. |
| Limit Scope to this Domain or OU | This setting determines the effective scope of where in Active Directory the Rule can search for and Suspend accounts. |
| Data Source Anchor attribute | Defines the column in the data source that will be used to find an existing user account. This value is compared to the Active Directory Anchor Attribute to determine an exact match. |
| Active Directory Anchor attribute |
Defines the attribute in AD to which the data source anchor attribute is to be compared. NOTE: If the Active Directory attribute you wish to use as the Active Directory Anchor attribute is not displayed, you can enter the ldap name of the attribute in the field. The attribute must be flagged as searchable (https://msdn.microsoft.com/en-us/library/ms679765(v=vs.85).aspx) within Active Directory. To determine if the attribute is flagged as searchable you can use ADSI Edit to view the Schema Objects container and examine the attribute’s searchFlags property. |
| Action Section | |
| Default suspend settings | This setting specifies the Active Directory Suspend Policy file that determines the steps to be performed on the user being suspended. If this value is left blank, generic suspend settings will be applied. |
| Suspend Related Office 365 user | When this option is set to YES, the Office 365 Suspend User Rule will run immediately after the Text file | Suspend User rule. |
Selection button – this button will open a dialog that will allow you to sele CSV file. Typically, this button allows selecting specific field from file.
Create and/or Edit button – this button will allow you to either create a n text file or edit a file you specified the already specified file.
Preview Button – this button will display a preview of the data retrieved b Query section.
NOTE: For efficiency, only the first 300 objects are returned by the preview.
Rule: Import SQL Data | Suspend AD Users
This rule will query the specified SQL Table or View in the Data Source, then using the Anchor attribute locate and Suspend user accounts according to the Action Section settings.
Add Import SQL Data | Suspend AD Users Rule to Runbook
Select or create a new runbook.
In the Sequence section, click New Rule.
Complete the wizard.
| Setting name | Description |
|---|---|
| Query Section | |
| Limit Scope to this Domain or OU | This setting determines the effective scope of where in Active Directory the Rule can search for and Suspend accounts. |
| Data Source Anchor attribute | Defines the column in the data source that will be used to find an existing user account. This value is compared to the Active Directory Anchor Attribute to determine an exact match. |
| Active Directory Anchor attribute |
Defines the attribute in AD to which the data source anchor attribute is to be compared. NOTE: If the Active Directory attribute you wish to use as the Active Directory Anchor attribute is not displayed, you can enter the ldap name of the attribute in the field. The attribute must be flagged as searchable (https://msdn.microsoft.com/en-us/library/ms679765(v=vs.85).aspx) within Active Directory. To determine if the attribute is flagged as searchable you can use ADSI Edit to view the Schema Objects container and examine the attribute’s searchFlags property. |
| SQL Instance | The name of the SQL Instance as defined in the Utils Extension SQL Server configuration. Using the Default SQL Instance setting will retrieve the current setting from the SQL Connection settings of the UTILS extension. |
| SQL Database Name | Allows for the selection of a specific database from selected SQL Instance. Using the Default SQL Database setting will retrieve the current setting from the SQL Connection settings of the UTILS extension. |
| SQL Table | Allows for the selection of a specific Table or View from the selected database. Click the Selector button to display a list of tables from which to choose. |
| SQL Credentials |
Allows for the entry of a specific database from the data source SQL Instance. Click the Selector button to enter SQL Credentials. NOTE: Windows Authentication cannot be used to access a Microsoft SQL Server database. The account must be a Mixed Mode or SQL Account. |
| More Options | |
| Where Clause | Defines a where statement in the SQL query sent to the data source to limit the rows returned by SQL Server. |
| Filter Data | Allows for the simple creation of a post-query filter to remove additional rows of data from the data returned by the data source. |
| Return These SQL Columns |
Defines the columns returned by the datasource. NOTE: For performance reasons, it is recommended that only the essential columns be returned from the data source. |
| Action Section | |
| Default suspend settings | This setting specifies the Active Directory Suspend Policy file that determines the steps to be performed on the user being suspended. If this value is left blank, generic suspend settings will be applied. |
| Suspend Related Office 365 user | When this option is set to YES, the Office 365 Suspend User Rule will run immediately after the Text file | Suspend User rule. |
Selection button – this button will open a dialog that will allow you to select CSV file. Typically, this button allows selecting a specific field from data file.
Preview Button – this button will display a preview of the data retrieved by the Query section.
NOTE: For efficiency, only the first 300 objects are returned by the preview.
Additional User Deprovisioning Rules
AD Users | Enforce Object Retention (Deletes Suspended Users after Retention Period)
AD Users | Process Scheduled Suspends
AD Users | Suspend Expired AD Users
AD Users Inactive | Suspend Accounts
Microsoft 365 Users | Revoke Deleted User’s assigned licenses
Microsoft 365 Users | Revoke Disabled Users Licenses
Comments
0 comments
Please sign in to leave a comment.