Active Directory: Disabled/Locked Out Users

How Disabled/Locked Out Users in Active Directory Are Handled

Applies to: Userify Enterprise when configured with Active Directory and LDAP

Both locked-out and disabled flags are temporary user conditions in Active Directory, unlike when an account is removed entirely, which is permanent. Userify treats them with basically the same response; Userify respects the user permissions that are set in Active Directory.

Locked Out User Accounts

When any user account is locked out (Active Directory internally marks this with a timestamp) or disabled (AD marks this with a bitmask) in your fully-Active Directory-compatible Enterprise Directory Service, Userify automatically disables the user in the associated Userify account. (Userify keeps its flag in sync with Active Directory and automatically unsets it when the account is returned to normal status.)

Disabled User Accounts

As with locked-out users, a disabled user’s account are still visible and can be managed by company administrators in the Userify dashboard, and permissions can be granted or revoked just as when the account is fully functioning. However, exactly as with locked-out users, the user will be immediately removed from all Linux/UNIX servers across all companies and not re-deployed to Linux servers/instances until the issue is resolved in the AD cluster.

Disabled and locked out user accounts are treated the same:

• Are removed from all servers/instances including home directories, etc. (restorable)
• The user cannot log into any servers/instances
• Any scripts or daemons owned by that user are terminated.

When re-enabled (un-disabled or unlocked), server user accounts and access are restored (including home directories) across all servers/instances that the user has access to.

Re-enabling Access

The user should receive a message that their account is being blocked by Active Directory when they attempt to log into Userify, but ultimately the situation must be resolved through the Active Directory service. (Depending on the Active Directory server load and the number of users, it may take up to 10 minutes for the updated permission to cascade from Active Directory to Userify and ultimately to the end-servers.)

To resolve in Active Directory, right click on the user account and choose Enable, or allow the user to reset their password to remove the locked-out status.

If the user attempts to log into a Linux server during this time period, the login will be rejected, and no other message is given. (This is because the user account doesn’t exist on the Linux server at all; the home directory is retained and the user will have the home directory restored when the temporary locked-out situation is resolved.)