I would like to be able to automatically sync WindchillDS with our Enterprise LDAP. We had this behavior with Windchill 9.1, but it seems to be missing in Windchill 10.2. We have a tool that runs each night and disables users who have been inactive for more than 60 days. By "disabling" I mean that the application updates the record in our Enterprise LDAP to change the display name to include "- Disabled", changes their email to include ".inactive" at the end (so they won't get additional emails), and locks the account so that the user cannot log back in until they get an admin to reset their account. We also have an interactive tool that the account admins use to lock a user out when they have left the company. It does the same updates as the nightly tool. We do this as a means of knowing which users are active Windchill users and which are not and to monitor the license usage. In V9.1, the update in Windchill was automatic and very quick. A user account would be updated in the disabling tool and moments later Windchill would reflect the "-Disabled" in the full name. In V10.2, a user has to log in before any LDAP changes get reflected in Windchill (according to the PTC support tech I talked to). Since the user account is locked, this is will never happen. The account admins also use the LDAP tool to reactivate users who have been disabled/deactivated. Until the user logs in, their information in Windchill still shows them as "Disabled".
I'd like to have this syncing up between Windchill and the LDAP to happen without a user logging in, in other words, automatically.