LDAP sync - Leavers

[dwalby]

Hi all,

Whilst viewing our users list within Hornbill the other day I noticed there're lots of users who've left the organisation still showing. Is it good practice to remove these and will it have any detrimental effect on previous requests/data? Is there a way to automate the removal of accounts that are disabled within AD or moved to a different OU?

Thanks in advance

[samwoo]

Hi @dwalby,

Leavers are very important to us.

We have a Leaver Process in Hornbill whcih goes through all the usual steps and one of the tasks in Hornbill is to move the Leavers into an "Archived" OU by the Officer. We then use LDAP_Import to update these users from this OU from Active to Archived and remove all of their Job Roles. They then remain on the system but not selectable in order to keep historical records intact.

There are probably many ways to automate this process... But i've jotted down a few that I can think of.

1. Read Hornbill using an API and update Active Directory / Hornbill. In my case I would use Powershell to do all of this.
2. Use Microsoft System Center Orchestrator iBridge
3. Keep the current process of manually moving users into the Archived OU but automate everything else using LDAP_Import and Powershell. For example adding in the ticket number someone in the AD Account then using Powershell to read from that and update the ticket accordingly.

I've not set any automation up yet, but we are looking to head down this route eventually, possibly using Microsoft System Center Orcehstrator if we can find out more about it... but I am keen to know what experience other users have on this matter, as is @dwalby too i am guessing.

Thanks,

Samuel