Undeleting a Windchill User

DarrenStorey · ‎Jan 24, 2014

To date, when a user leaves employment, their AD account is deleted and so is their windchill user. Deleted as-in “Principal Admin - delete from Windchill and directory”. In hindsight this has been a long running mistake, especially as we are now focusing on automated watermarks and business reports which are attempting to display the non-existent names of deleted users.

Is it possible to restore the user information somehow in Windchill? For example if a user was created in WDS representing a previous employee, could this be linked back to the corresponding WTUser?

bagul.yogesh · ‎Jan 24, 2014

Darren,

At Technical Committee meetings at PTC this week, we talked about issues arising from removing user from Windchill. PTC is considering to provide a "Deactivate" and "Reactivate" functionality for users. If you are interested and have any inputs, please let us know.

Yogesh

STEVEG · ‎Jan 24, 2014

I have only deleted two users since 2008. And the only reason is I made a mistake on one and IT changed the user name on the other.

I use PTC's recommendation of putting them in a deactivated group. I also associate that group to a No Access profile to remove everything. I don't change the password but I probably should.

Deactivate/Reactivate feature might be nice but not a big deal if it's not added...at least for me. However, I woud use it if it was added.

Steve G

DarrenStorey · ‎Jan 24, 2014

Stephen,

planning to do something very similar. I'm trying to clean the mess we made in the past as part of that change.

Regards Darren

ddemay · ‎Jan 24, 2014

Hi Yogesh - Who is overseeing this TC at PTC? I'd like to give input.

I already developed a system they can use.

I have a custom queue that monitors the system audit records and based on 90
days idles them, cannot login (using tomcat filter), and after being that
groups for 90 days, the system calculates a 180 day total and they go into
Deactivated Users. They key is never deleting the user, but making them
unable to login or capable of being reactivated.

Deactiviated Users group is set to a domain denying any access to WTObject.
Further, the user's personal cabinet and user's domain are set to a domain
that denies access to WTObject. Even if you omit the tomcat filter, they
cannot see anything in the UI.

It sends the system administrators notification if the user cannot be idled
or deactiviated until they are manually managed.

Future revisions are set to look for items they have checked out and if
there is anything in their workspaces, to handle those situations. Also, a
command line option to manually process someone who is leaving, but recently
active.

- David

DarrenStorey · ‎Jan 27, 2014

over looked this

http://www.ptc.com/cs/help/windchill_hc/wc101_hc/index.jspx?id=ParticipantAdminUserDeleteEnable&action=show

jzupfer · ‎Jan 27, 2014

Darren,

Did this help topic provide the information you needed? Is there something we could have added to make it more useful to you?

Thanks,

Jane

Jane Zupfer
VP, Enterprise Products Publications
E -

bagul.yogesh · ‎Jan 27, 2014

David,

Walid Saad from PTC is going to oversee this. We planned to have a discussion this week to hash out requirements and possible solutions. If anyone is interested, I can either invite to discussion (when I get it) or take requirements to Walid.

Yogesh Bagul

DarrenStorey · ‎Jan 29, 2014

Jane

As always a few use case examples go a long way. Had to open a support call to get more information about the full reconnect process in our particular case. Ldap users are also missing so these need to be recreated also. The following additional information was subsequently provided by the support call and it is useful, but also a little worrying. Perhaps the risks identified here could be added to the documentation?

1. Running the wt.org.EnableDisabledUserscommand will recreate the corresponding entries in WTUSER, REMOTEOBJECTINFO, REMOTEOBJECTID and OWNINGREPOSITORYLOCALOBJECT

2. If the user doesn’t exist in LDAP, no entry is created on it automatically.

3. If you create the entry in LDAP manually (directly using WDS control panel or modifying an exported ldif), the user will be able to reconnect to Windchill, and can access his old stuff.

However, there are many risks:

1. if you create a user in LDAP, but he didn’t have the exact REMOTEOBJECTID and uid in WTUSER a new entries will be then inserted in the WTUSER, REMOTEOBJECTINFO, REMOTEOBJECTID and OWNINGREPOSITORYLOCALOBJECT

2. wt.org.EnableDisabledUserscan be used but with precaution. There is some support for wildcard search in the utility but you have be careful so unwanted results are not picked up.

3.generally this is a sort of hacking the database and LDIF and need to be tested in owner risk. we don’t support officially such manipulation.

4. loadfromfile utility to load several users will not help here as it will create new entries in the Database.

jzupfer · ‎Jan 29, 2014

Thank you, Darren. We're always looking for use cases to inform the documentation, and I'm forwarding the additional information you included to the writer and product ownerso they canconsider how best to document risks and best practices.

Thanks again,

Jane