What do you do with the AD accounts of users who l...

DarrenStorey · ‎Jan 14, 2014

Like many others, we authenticate Windchill users from Active Directory. When an employee leaves the company, our IT policy is to delete their account in AD. Unsurprisingly this causes several issues in Windchill.

Does anybody else follow this practice, and if so have you implemented a process or configuration change that ensures user information persists in Windchill after the AD account is deleted.

The obvious solution is to not delete the AD accounts of leavers, rather mark them inactive.

Without digging too deeply into technical details, I would be interested to hear some pros and cons of different strategies on this topic.

Thanks Darren

bagul.yogesh · ‎Jan 14, 2014

Darren,

We dont delete user account in AD, just mark it as inactive. On the Windchill side, we dont do anything and see username(deleted) marked everywhere instead of username. With his practice, we see only one issue in reporting Change Task details which we have reported to PTC Tech Support. They are planning to fix it in future releases. What issues you encountered?

Yogesh

DarrenStorey · ‎Jan 14, 2014

Hi Yogesh

Some issues are:

We effectively loose an important part of the process audit history.

Cannot search for objects created by a user who left the company.

When the name of the user is implemented by watermarks, a republish can generate a big mess in the user field.

When the deleted user is part of an active workflow process team instance, the workflow can hang.

Regards Darren

MikeFoster · ‎Jan 14, 2014

As long as the users have not been deleted from the disconnected principals in Windchill you can perform the following procedure to convert a deleted AD user to a local WindchillDS user thereby keeping all their history intact:

Mike Foster
ATK

Technique to create a replacement user in Principal Administrator for a deleted AD user who is in disconnected principals (Windchill 9.1 M060):

1. wcadmin > Site > Utilities > Principal Administrator > Users
a. Create new user with a temporary name
b. Enter the temporary Username, First Name, Last Name, E-mail Address, and a Password (which must meet requirements)
c. Once the new user is created in Principal Administrator push the button to Delete only from Windchill (still exists in WindchillDS)
2. Open the WindchillDS control panel (on the server)
a. Directory Data > Manage Entries > o=ptc > Windchill_9.1 > AdministrativeLdap > people
b. Select the temporary Username (should be at the bottom of the list)
c. Change the User ID field from the temporary Username to the Username of the disconnected user and push the Save Changes button
3. wcadmin > Site > Utilities > Principal Administrator > Maintenance
a. Push the button Remove All from Cache (top left)
b. Locate the disconnected user in the list and click the Edit Principal button for the disconnected user
c. Search for the username of the disconnected principal > Select the user > OK
4. You can now login with the username of the disconnected principal and the password created in step 1.

bagul.yogesh · ‎Jan 14, 2014

Darren,

we did encounter #4 which was taken care by modifying business process to re-assign task(s) before putting in removal request. Rest we did not encounter.

Yogesh

patrickchin2000 · ‎Jan 14, 2014

It is commonly that most Windchill Admins don't control enterprise AD forest. I suggest if the user becomes a disconnected principal is to:

Go to Participant Administration

Create a new Windchill userwith the same userid but differnt email and password (admin) like Mike Foster mentioned but only in company.domain.Ldap

Search for disconnected principles which should appear as a list or individual if you know the AD userid

edit the disconnected participants to point to the new Ldap user.

Its like the reverse process of changing Ldap user to AD, you can delete the user in Windchill DS, then the user will become disconnected, edit the disconnected participant to point to the AD user.

If you have a chance to work with your enterprise AD administrator, just change the password and move the user to branch/org ofdiscontinued/non-companychange the password and email toWindchill administrators control.Hopefully, they don't delete users in enterprise AD.

Hopefully that helps,

Patrick

patrickchin2000 · ‎Jan 14, 2014

I forgot a couple more things:

To continue with Yogesh with reassigning and resetting assigments. Change the user's calenders for running process (non-executed task) and future task to be assigned to a different user.

this way no-watermarks or previous released drawing/documents title blocks will not be affected if the user has left the company. (i.e.PTC_created_by or PTC_modified_by)

Hope that helps,

Patrick

In Reply to Patrick Chin:

It is commonly that most Windchill Admins don't control enterprise AD forest. I suggest if the user becomes a disconnected principal is to:

Go to Participant Administration

Create a new Windchill userwith the same userid but differnt email and password (admin) like Mike Foster mentioned but only in company.domain.Ldap

Search for disconnected principles which should appear as a list or individual if you know the AD userid

edit the disconnected participants to point to the new Ldap user.

Its like the reverse process of changing Ldap user to AD, you can delete the user in Windchill DS, then the user will become disconnected, edit the disconnected participant to point to the AD user.

If you have a chance to work with your enterprise AD administrator, just change the password and move the user to branch/org ofdiscontinued/non-companychange the password and email toWindchill administrators control.Hopefully, they don't delete users in enterprise AD.

Hopefully that helps,

Patrick

DarrenStorey · ‎Jan 14, 2014

Hi Patrick/Mike

We have Windchill 10.1M040, I haven’t tested if Mike’s solution works the same as in 9.1, but I think it’s likely.

com.ricardo.EnterpriseLdap = Active Directory = AD

Are you suggesting the full process for a single leaver event is as simple as?:

1/ Delete user in AD, windchill principal becomes disconnected.

2/ Create new user in DS, with same name and user ID but different email and password.

3/ Find disconnected principal and link to new AD user created in step 2.

4/ Purge disconnected principal.

job done?….

For a leaver, changing their password and AD branch would on the surface seem like the simplest solution. However I have no influence over AD, don’t yet understand the full reasons for deleting AD accounts or the implications to the business for changing established policies. I will be asking though.

Thanks again for your responses so far.

Best regards Darren

In Reply to Patrick Chin:

It is commonly that most Windchill Admins don't control enterprise AD forest. I suggest if the user becomes a disconnected principal is to:

Go to Participant Administration

Create a new Windchill userwith the same userid but differnt email and password (admin) like Mike Foster mentioned but only in company.domain.Ldap

Search for disconnected principles which should appear as a list or individual if you know the AD userid

edit the disconnected participants to point to the new Ldap user.

Its like the reverse process of changing Ldap user to AD, you can delete the user in Windchill DS, then the user will become disconnected, edit the disconnected participant to point to the AD user.

If you have a chance to work with your enterprise AD administrator, just change the password and move the user to branch/org ofdiscontinued/non-companychange the password and email toWindchill administrators control.Hopefully, they don't delete users in enterprise AD.

Hopefully that helps,

Patrick

GaryMansell · ‎Jan 15, 2014

Patrick,

Hi, I am a colleague of Darren who submitted this topic, thanks for your input.

A query about your suggested method of moving an Enterprise LDAP user to Administrative LDAP, if I may?

If I have understood your method correctly, don't you end up with two entries in the Windchill WTUSER table both pointing at the new user Account in Administrative LDAP - and is this a problem or not?

My reasoning:

Best Regards

patrickchin2000 · ‎Jan 15, 2014

Hi Gary,

There is no purging disconnected principles/participants because what you have done is repair the disconnected principle WTUserID to point to another. Thus, the user is not deleted from Windchill but is no longer used. Since you have actual past released metadata that is linked to drawings, attributes and even watermarks that is instantly updated on a change in Windchill, it is best not to change the value of released artifacts.

It is similar to switching users from WindchillDS to the enterprise AD. The method of reparing disconnected participants prevents any lost of data in users workspaces because they are now controled and cleanned up by the Windchilll Administrators. The new passwords of the user accounts can be given to their reporting manager to be accessed and checked-in by their backup users.

Then when all their work is checked-in, just reset the password and no one can access Windchill with their accounts.

No purging of the Windchill user.

Thanks,

Patrick

In Reply to Gary Mansell:

Patrick,

Hi, I am a colleague of Darren who submitted this topic, thanks for your input.

A query about your suggested method of moving an Enterprise LDAP user to Administrative LDAP, if I may?

If I have understood your method correctly, don't you end up with two entries in the Windchill WTUSER table both pointing at the new user Account in Administrative LDAP - and is this a problem or not?

My reasoning:

Best Regards

vmcdaniel · ‎Jan 21, 2014

I found on our system 10.1 M040 the procedure was a little different. I was not able to Edit disconnected participant.

User was deleted from Enterprise AD and disconected in Windchill.

1. Create New User in ORG on directory service com.<company>.Ldap

3. Search for Disconnected User

4. "Reconnect Disconnected Participant" on user to new user (-DS)

5. Cleanup

Cheers!

DarrenStorey · ‎Jan 22, 2014

Ok I have this working now, looks like I was making a silly mistake somewhere along the line.

Create new equivalent user in WDS console
Works even if DS user ID is identical to that which was used in AD (no need to append).
Thanks to Mike Forester, Patrick Chin and Vaughn McDaniel for there help and contributions.

Darren

STEVEG · ‎Jan 22, 2014

What would happen if that user would come back to work for you? We've had that happen a few times over the years.

Steve G

DarrenStorey · ‎Jan 22, 2014

Stephen

Lets assume the user returns to employment and uses the same UID as before.

They would now be able to log into Windchill but only by using the password stored in their WDS account.
Regards

vmcdaniel · ‎Jan 22, 2014

Thanks Darren

Yeah, I was not using the WDS console, my procedure was using the Windchill ORG Participant Administrator.

Vaughn

patrickchin2000 · ‎Jan 22, 2014

You are very welcome guys. It is hard to keep up with the changing of the UIs of Windchill but the core process remains the same.

With the question if the person returns, just do the reverse by:

deleting the user in the WindchillDS people structure.

reactivate/re-create the user in AD

The user in Windchill will appear as disconnected in the Participant Administration

then follow the process based on your windchill version by "Reconnect Disconnected" or edit/repair disconnected to point to the AD userid/samaccountname/principlename.

Cleanup (wow this is new in 10.1 M040)

Sounds good.

Patrick

In Reply to Vaughn McDaniel:

Thanks Darren

Yeah, I was not using the WDS console, my procedure was using the Windchill ORG Participant Administrator.

Vaughn

What do you do with the AD accounts of users who leave employment of your company?

What do you do with the AD accounts of users who leave employment of your company?