How to Delete User Accounts
For IBM Security Directory accounts, deleting the account means that it is disabled and no one can log in using those account credentials. For Active Directory/LDAP user accounts, deleting them from the Admin Portal only removes them from the Users page. People can still use those account credentials to log in to Privileged Access Service. You must use Active Directory Users and Computers to truly disable the account.
To delete multiple users with one command:
-
Log in to Admin Portal.
-
Click Access > Users.
-
Select the relevant accounts.
-
Click Delete from the Actions menu.
-
Click Yes to confirm.
Deleting Active Directory/LDAP User Accounts
Active Directory/LDAP user accounts should be deleted from Admin Portal and Active Directdory/LDAP to avoid confusion.
When you delete Active Directory/LDAP user accounts Admin Portal, the account records are deleted from Privileged Access Service, but they are unchanged in Active Directory. These users can still log in to Privileged Access Service using the same Active Directory/LDAP accounts.
When you delete Active Directory/LDAP user accounts in Active Directory/LDAP, those user accounts remain on the Users page in Admin Portal but they can no longer access IBM Security Connector. For the connector to detect a user account deletion performed in Active Directory and update the Users page in Admin Portal, each IBM Security Connector must have permission to read the deleted objects container in Active Directory. You can provide the necessary permission by running the following commands on each connector.
-
If you do not have the necessary permissions to change the permissions of the deleted objects container, then run this command:
dsacls "CN=Deleted Objects,DC=\<EXAMPLE\>,DC=\<COM\>" /takeownership
-
The following command grants the IBM Security Connector permission to read the deleted objects container in Active Directory:
dsacls "CN=Deleted Objects,DC=\<EXAMPLE\>,DC=\<COM\>" /user:administrator@\<EXAMPLE.COM\> /passwd:\* /g \<EXAMPLE\>\\\<MACHINENAME\>\$:LCRP /I:T
-
Deleting an LDAP Directory Service invalidates all of the users associated with that LDAP. You can not repair this by creating a new LDAP DirectoryService with the same connection parameters, as the new Directory Servicewill be considered a different Directory Service regardless of theconnection parameters. All user-specific elements must be re-created -- thisincludes OATH tokens, user security questions, role memberships - among other things.
-
If an LDAP Directory Service is deleted, the users associated with that Directory Service are not automatically removed. They must be removed manually from the Admin Portal.