Showing results for 
Search instead for 
Did you mean: 
Showing results for 
Search instead for 
Did you mean: 

Removal of Users from Windchill


Removal of Users from Windchill

Is it common pratice to remove users from windchill when they leave the company? Will this remove their name from the work that was done?

Kyle Tabor

Windchill 9.1 M020


PTC says do not remove users, but to put them in a "deleted users"
group. We've been removing them. What happens is that the user account
is deleted but the user object entry still exists (changed to some name
(deleted)). You will see that persons name next to their work but with
that deleted note. We have had users who come and gone many times from
the company. We recreate a new user for them each time. Either way is
fine in my book but I think it messes up PTC's audit scripts.

5-Regular Member

We found that when you remove a user, you can no longer search for the data they have created or modified. This really becomes an issue when users leave the company and return expecting to find the data they had been previously working on. We decided that for users that have created or modified data and for users that have been assigned tasks, we would remove them from all groups and add them to a "Disabled Users" group. We also add "(Disabled)" at the end of their Full Name.

For users that were basically "Read Only", we remove their account.


Our practice is to change the full name of a user who left the company to
append "(Inactive)" and delete that user's e-mail.

We then remove that user's ID from all group and role memberships.

The result is a user ID, and a name for historical reference purposes that
clearly states that the user is now inactive.

For example, assume that my user id is d12345, my full name is Anderson,
Al X., and my e-mail is

Iif I were to leave the company, then in Windchill / PDMLink, my account
would become...

For clarification, is everyone referring to removing the user from Windchill, LDAP, or both?
We have yet to deploy Windchill and intend to use our corporate LDAP: Microsoft Active Directory (AD).
When people leave the company, the username is deleted in AD.
My original intent was to leave the user in Windchill, and remove them from all groups.
Will this impact searches and reports?

Secondly, sometimes users (such as contractors) return and are given their original username.
Will I need to do anything to re-affiliate the new (yet identically-named) username with the existing Windchill user?
Can this be done at all?



We don't use AD but there is some talk about doing it.

As of right now though I don't even change the name. It messes up any reports for us. As an example: a user that was entered into our system had an extra character in their last name. I changed the name of that person. Later on when I ran one of our reports it listed that user separately. So there is an entry for the old spelling AND the new spelling.

All I did in the past is remove them from any current groups and add them to a Deactivated group. Although removing their email address sounds like a good idea too.

Steve G

Versus deleteing a user at all it is better to add an entry to aphelion or windchill directory server. This entry shall have a password set to it the original user it represents could never guess. If SSO is enabled on your system, the user cannot log in anyway if configured in the typical fashion. Now, all you need to do is find the wtuser entry oracle primary key ida2a2 and look for it in remoteobjectinfo and or remoteobjectid depending on windchill version. The distinguished name for this user can be updated to point to your newly created ldap entry that A.) No one can log into. And B.) Doesn't cause data contagion issues and you avoid the user (deleted) gunk when looking at items this user worked on and with.

Should they ever come back update the distinguished name to point back to correct ldap repository and user distinguished name.

As an admin once you do this once or twice you can do it in your sleep. Meanwhile you system shows no odd behavior because someone moved on.

I probably need to create a tutorial for this, but there is no reason to delete a user ever.

Sent from my Verizon Wireless BlackBerry


In fact PTC also recommends not to delete users. See


Tony, thanks for sharing.

This does not take into account corporate IT policies which may result in disconnected users. One of the reasons folks opt for delete. I think I should throw together a powerpoint detailing steps on how to take a user associated to a corporate directory server (LDAP) and update the database to keep your user "recognizable" by Windchill. You might say it auguments the documentation provided in the usage assessment docs you reference.

The key things here are upon deletion a user is marked disabled, their object identifer is altered, etc. and their distinguished name is removed from the database table remoteobjectinfo or remoteobjectid (9.x)

Creating a new entry in Aphelion and or Windchill directory Server with the same login I'd and then updating the entry in the database for the user's DN allows things to run smoothly.

I couldn't help but notice the confidential markings on the PTC documents the usage assessment linkrovides. 😉

Also keep in mind folks Windchill does audit logins indpendent of server logs using database table LastAuditEvent in 8.0 and earlier and 9.x this got moved to the AuditRecord table (which grows and grows because it doesn't work exactly like LastAuditEvent did. Note this is separate from the 9.x license count table.)


Sent from my Verizon Wireless BlackBerry