Deleting or Changing User Information in Active Directory

Included in this article:

  1. About Active Directory
  2. Making changes to a users information
  3. Deleting or blocking a user 
  4. Where to find blocked users 

 

1- About Active directory

Active directory is a tool organisations have to manage employee information. It typically has a manager within the business who's task it is to keep it correct and up to date - this is most likely your point of contact for changes and updates to users.

If your organisation runs Active Directory and its groups and users meet your business needs, synchronising with Claromentis system groups makes perfect sense as it reduces maintenance and complexity. It saves you having to recreate users and structures within Claromentis and also means with regular synchronisations - user data will be kept in line with the latest most up to date information stored in AD.

 

2 - Making changes to a users information

In general, changes to any fields on a user in AD that are set to sync to Claromentis will update those fields on the Claromentis user account during the next directory sync. 

The only thing to keep in mind is when you need to make changes both to the sAMAccountName, and the DistinguishedName (DN) of a user in AD which is synced to Claromentis.

Usernames for LDAP users in Claromentis are always in NT4 format using their AD sAMAccountName field. An example of a username in this format would be NETBIOSNAME\some_user

If a user's sAMAccountName is changed in AD, Claromentis will will try to match users with a sAMAccountName that doesn't match an existing account username in Claromentis by trying to match against their DN instead. This is done so that the sAMAccountName/Claromentis username can be changed without a new account being created unnecessarily. 

If we find an existing user account with that DN we update the username to the new sAMAccountName.

If the DN of a user changes and their sAMAccountName remains the same during a sync, then we update the DN on that user as we would with any other field we were syncing from AD. 

If both the sAMAccountName and DN are changed for a user at the same time in a single sync, then Claromentis will not be able to match against an existing user. In this case, the user will be considered new and a new account will be created in Claromentis. The old account will be marked as blocked/inactive. 

If you need to change both the DN and the sAMAccountName of a user, and don't want to treat it as a new account in Claromentis, then we recommend either changing one at a time, with a sync in between (It's possible to trigger a sync manually via the people admin panel). Or by manually updating the user's username in Claromentis first so that only the DN would need to be synced. 

 

3- Blocking a user

To block a user, you will need to remove them from the syncing groups in AD first. The next time a sync is run, the user in Claromentis will be blocked.

If the account is no longer needed you can manually delete the user in Claromentis and when doing so the system will ask you to assign their data, or any ownership of documents/folders to another individual.

Alternatively, the account can be left blocked as the user cannot log in and it's not taking up a user license space, if the user ever returns they can simply be added back into your sync for the account to be made active once more.

If you manually block the user in Claromentis first, you will find them activated again when the next sync is run as active directory will have pulled them across once more.

Changes must take place in AD first, then on the next sync this will be reflected in the Intranet.

This is explained visually here: 

 

 

4- Where to find blocked users

You will need to navigate to Applications > Admin > People

Using the filter drop down you will need to select 'All including blocked':

 

Created on 10 October 2019 by Hannah Door. Last modified on 6 December 2023

Was this helpful?  

Share