Community Tip - Visit the PTCooler (the community lounge) to get to know your fellow community members and check out some of Dale's Friday Humor posts! X
Hello
the goal is to avoid user access in Windchill (or a list of users) without deleting or damaging the user itself (considering he/she can be reactivated in the future).
Some articles provided by PTC support did not work in our environment
https://www.ptc.com/en/support/article?n=CS145660
https://www.ptc.com/en/support/article?n=CS71201
The next one didn't work because the Windchill user credentials are synchronized with Active Directory / LDAP:
https://www.ptc.com/en/support/article/CS102243
Because all of this, now I'm asking to the ptc Community.
Thanks and Reg
@madami
I created a Group that isn't a member of any Product (context), restricted that Group's access. I move folks in and out of that. If Windchill DS is used, I change their password also. Active directory, I can't do that.
It looks like you tried that, but with no success?
James
Windchill 11.0
Hi,
in fact I didn't do that exactly, but user credentials are synchronized with LDAP / Active Directory.
I was trying to find a solution inside Windchill application, without changing any other network configuration.
Some people from internal IT Infrastructure suggested to create a particular Group at AD and somehow saying to Windchill that only this group sync access credentials with AD; the issue for that is to understand the configuration to do that in Windchill.
Thanks anyway for your response.
Miguel
@madami
Actually I do use this method with Active Directory. The "Deactivated Users" Group restricts access and when/if the IT dept removes members of them from the network Active Directory group, they are disconnected from Windchill.
So it looks like this. Our old Windchill DS users remain as xxx[Deactivated]. No access and a name change.
Active Directory Users are placed in this group (restricting their access to all Products/contexts) then over time the IT Dept removes them from the Active Directory group in Outlook. This can take a few days, but until then, even if they got into Windchill, they have no access. - James
If this is Windchill 11.1+, just remove these users from all license profiles. If they aren't associated with a profile, they can't access anything in Windchill.
To disable login of a group of users prior to Windchill licensing, use the deactivated users group technique to exclude them from license audits. https://www.ptc.com/en/support/article/CS167448
Since the users are managed in ADS, use an LDAP filter group on your Apache ADS provider. https://www.ptc.com/en/support/article/CS152247 (steps #2 and #3 only, not #1 or #4)
To 'disable' a user, add them to the deactivated users group in Windchill and remove them from the 'Windchill Users' group in ADS. This will exclude them from license audits and prevent them from logging into Windchill. When they come back, add them to the filter group again and remove them from the disabled users group.
Note: They will still be available for participant searches, role membership, etc. Additional steps are necessary for account cleanup.
These directions will be evaluated, thanks