We have had a few TC sessions around active users in Windchill the past couple of years. In our case we do not want to delete the user, as it is not uncommon for someone to change roles temporarily beform coming back. So to mark a user account as Inactive we currently update the username in Windchill which disconnects the Windchill account from the AD and prevents them from authenticating.
Unless I imagined it I believe that here is actually a document/recommended practice for doing this. It goes something like:
1) Rename user to “xxxxusername”
2) Add user to group “yyyy”
I have been led to believe that if you use the correct group name then that prevents the users from showing up in some of the UI screens which is why I am researching this.
Assuming for the minute that I did not dream this, does anyone know where I can find that document? I have tried tech support on this, but so far I am drawing a blank.
Failing getting any documentation, can anyone tell me what should be used for xxxx and yyyy above?
Thanks in advance,
Maybe you should have a look to this:
<< ProE WF5 - PDMLink 10.1 M040>>
We are not truly integrated with AD, we actually manage the user accounts in Windchill but connect to AD to validate the password. By updating the username in Windchill it no longer matches AD and the user cannot authenticate.
In Reply to Ben Perry:
How do you update the username if you're connected to AD? Do you set the property in the adapter as .windchill.config.readOnly=false to make Windchill think you can update the username in the AD?
Thanks this was what I was looking for.
In Reply to Tom Uminn:
Found it! "Windchill FlexPLM, and Arbortext Content Manager Usage Assessment Program Instructions" It's part of the download (or at least used to be) on this page: http://support.ptc.com/support/usageassessments/windchill. Here is the relevant section:
Deactivating Users (1) to Reduce the Number of Required Licenses
First, determine which of your Inactive Users can be deactivated. PTC provides a free downloadable tool that will analyze your web server logs to report on Windchill usage by user, so that you can identify Enabled Users that are no longer Active Users. See the instructions below for running this tool.
Second, if deactivating a user for the first time, create a group called "Deactivated Users" so that the Deactivated Users can be easily tracked. If the group already exists, skip to the third step.
Third, log into Windchill using the site administrator account (typically named wcadmin). Browse to the Site Utilities page and launch the Principal Administrator. Click on the "Users" link in the upper left corner to get to the user administration page. Click on the "Add Existing Users to Table" icon in the upper right. Search and select the user accounts that you wish to deactivate. Multiple accounts may be selected by clicking on the checkboxes to the left of each user in the search results table. Press the "OK" button on the search dialog to return to the user administration page. Click on the "Update User" icon next to the account you wish to deactivate. Change the user's full name to a string that will sort alphabetically to the end of a list, and will obviously denote a deactivated user. For example, for a user named "John Doe", we recommend using something like "xxx_Deactivated_JohnDoe". This is important so that other users will recognize that the account has been deactivated and, for example, will know not to assign tasks to that user. Change the user's password so that they can no longer access your Windchill system.
Fourth, click on the "Groups" tab at the top of the "Update User" dialog. Click on the "Add Existing Groups to Table" icon. Search for the "Deactivated Users" group. Select the group by clicking the checkbox to the left of the group in the search results table, then press the "OK" button. Press the "OK" button in the "Update User" dialog.
It is also possible to delete an account in Windchill. An account may be deleted by clicking the action to "disable" or to "delete" the account from the Principal Administrator user interface.
Despite the name, "deletion" does not, in fact, completely delete the user account from the database because true deletion would cause you to lose that user's history. Good configuration management practices dictate that events are recorded and identified by actual user, regardless of whether the user currently has access to the system.
However, PTC does not recommend deletion because deleting an account makes it impossible to reactivate that account. If that user returns to your employment, having to assign such user a new account will be inefficient and could be misleading since one user would then have two identities within the system. Also, deleting a user makes it much more difficult to reassign such a user's tasks. Deletion is generally only appropriate when the administrator makes an error in creating the account in the first place, and the account has not yet been used.
I also do not like changing the name of the user. I have a simple report that shows the user and the last time they logged in. The report shows both the old name and the new name as separate lines.