Automatic deletion of obsolete users
Users that, for example, no longer work in the organization and have been removed from all authorized Active Directory groups should be removed from Snow License Manager as well. Instead of removing such users manually, they can be automatically detected and deleted.
When automatic deletion is activated, the process is executed daily. The process works as follows:
-
Once a day the Active directory groups are synchronized with the Snow License Manager user accounts. The time of day is configurable (the default value is 01:00 AM). During the synchronization, it is checked if any users have been removed from the Active Directory groups. If so, the corresponding roles will be removed from the Snow License Manager user accounts.
-
If all roles are removed from a Snow License Manager user account, it is placed in quarantine for a configurable number of days (the default value is 7 days).
-
If no action has been registered on the Snow License Manager user account during the quarantine period, it will be deleted when the quarantine period has ended.
If a quarantined Snow License Manager user belongs to an Active Directory group that is also a defined role in Snow License Manager, but the role has not yet been added to the user, the Snow License Manager user account will not be deleted. The group will be added the next time the user signs in to Snow License Manager.
Activate and configure automatic deletion of users
To activate the function, an Active Directory account with service account credentials is required. The service account is used to read existing Active Directory users and their groups and perform the cleanup of user groups in Snow License Manager.
To activate the automatic deletion of users that no longer belong to an authorized Active Directory group:
-
On your Snow License Manager application server, open C:\Program Files\Snow Software\Snow License Manager\Web\web.config.
-
Configure the following settings in the <appSettings> section:
noteThe ADServiceAccountName is the [domain]\[sAMAccountName] or the User Principal Name (UPN).
<add key="UseWindowsAuthentication" value="true" />
<add key="LDAPUrl" value="[FQDN]" />
<add key="ADServiceAccountName" value="[The name of the Active Directory service account]" />
<add key="ADServiceAccountPassword" value="[The password for the Active Directory service account]" />
The automatic deletion is now activated with the default values for the time of execution and the number of days for the quarantine period.
To change the time of day the process is activated and the number of days a user is placed in quarantine before the account is deleted:
-
On your Snow License Manager application server, open C:\Program Files\Snow Software\Snow License Manager\Services\Maintenance, and open the appsettings.json file.
-
Configure the following fields in the <ADSystemUsersCleanup> section:
"DailyScheduleAt": "01:00",
"StalePeriodDays": 7
The other fields in the section should be left blank.