Active Directory Automatic User Management

Overview

When Active Directory (AD) Sync is run with the "User status mirrors Active Directory (Automatic)" option, it creates groups and users in Verify Privilege Vault to mirror the organization's configured AD groups and users. A Verify Privilege Vault user is created or enabled for every enabled AD user in the selected groups.

Thus, every enabled AD user in every synched group consumes a Verify Privilege Vault license, whether or not they use Verify Privilege Vault. As a result, an organization can end up paying for far more Verify Privilege Vault licenses than they need.

AD Automatic User Management addresses this issue by automatically disabling the accounts of users who have not logged in to Verify Privilege Vault in a specified number of months. This saves unnecessary licensing costs as inactive users do not count against the number of user licenses required by Verify Privilege Vault.

You can configure the setting on the Edit Active Directory Configuration page. See Configuring Active Directory There is a checkbox to enable or disable the feature and a textbox to set the number of months before a user is auto-disabled. The default is three, but you can set it from one to 12.

Newly-added users remain enabled until the first synchronization after the configured number of months have passed. When a user whose account has been disabled by this feature attempts to log in they automatically have their account enabled, provided there are licenses available.

Examples

Example One

  1. Maria joined the company today.

  2. The next AD synchronization creates a Verify Privilege Vault account for Maria.

  3. Maria never logs in to Verify Privilege Vault because she does not need it for her job.

  4. Once the defined number of months have passed, the next AD synchronization disables Maria's Verify Privilege Vault account.

  5. The Verify Privilege Vault license used by Maria's account becomes available for use.

Example Two

This only pertains to users who have never logged into Verify Privilege Vault and their account was disabled (never enabled). It does not apply to previously enabled users who have been disabled due to inactivity.
  1. Joe gets added to Verify Privilege Vault but never logs in.

  2. The defined number of months later, Automatic User Management disables his account, freeing his license.

  3. Joe gets promoted to a job that requires Verify Privilege Vault.

  4. Joe logs into Verify Privilege Vault.

  5. His account is automatically re-enabled, and he now takes up a license.

  6. Joe gets demoted to his old job, which does not require Verify Privilege Vault.

  7. A defined number of months later, Automatic User Management disables his account, and the license is freed up once again.

  8. Joe has no idea any of this has happened—the automated process is hidden from him.

Example Three

  1. Rupert logs in to Verify Privilege Vault several times per month.

  2. The defined number of months for Automatic User Management to disable his account is never reached.

  3. Rupert's account stays current and his license remains his. The entire process is invisible to Rupert.