12-Amethyst

Question

What do you do with the AD accounts of users who leave employment of your company?

Forum|Forum|12 years ago
January 14, 2014
15 replies
2947 views

Like many others, we authenticate Windchill users from Active Directory. When an employee leaves the company, our IT policy is to delete their account in AD. Unsurprisingly this causes several issues in Windchill.

Does anybody else follow this practice, and if so have you implemented a process or configuration change that ensures user information persists in Windchill after the AD account is deleted.

The obvious solution is to not delete the AD accounts of leavers, rather mark them inactive.

Without digging too deeply into technical details, I would be interested to hear some pros and cons of different strategies on this topic.

Thanks Darren

Other

B

bagul.yogesh

1-Visitor

Darren,

We dont delete user account in AD, just mark it as inactive. On the Windchill side, we dont do anything and see username(deleted) marked everywhere instead of username. With his practice, we see only one issue in reporting Change Task details which we have reported to PTC Tech Support. They are planning to fix it in future releases. What issues you encountered?

Yogesh

D

DarrenStorey

Author

12-Amethyst

Hi Yogesh

Some issues are:

We effectively loose an important part of the process audit history.

Cannot search for objects created by a user who left the company.

When the name of the user is implemented by watermarks, a republish can generate a big mess in the user field.

When the deleted user is part of an active workflow process team instance, the workflow can hang.

Regards Darren

M

MikeFoster

10-Marble

As long as the users have not been deleted from the disconnected principals in Windchill you can perform the following procedure to convert a deleted AD user to a local WindchillDS user thereby keeping all their history intact:

Mike Foster
ATK

Technique to create a replacement user in Principal Administrator for a deleted AD user who is in disconnected principals (Windchill 9.1 M060):

1. wcadmin > Site > Utilities > Principal Administrator > Users
a. Create new user with a temporary name
b. Enter the temporary Username, First Name, Last Name, E-mail Address, and a Password (which must meet requirements)
c. Once the new user is created in Principal Administrator push the button to Delete only from Windchill (still exists in WindchillDS)
2. Open the WindchillDS control panel (on the server)
a. Directory Data > Manage Entries > o=ptc > Windchill_9.1 > AdministrativeLdap > people
b. Select the temporary Username (should be at the bottom of the list)
c. Change the User ID field from the temporary Username to the Username of the disconnected user and push the Save Changes button
3. wcadmin > Site > Utilities > Principal Administrator > Maintenance
a. Push the button Remove All from Cache (top left)
b. Locate the disconnected user in the list and click the Edit Principal button for the disconnected user
c. Search for the username of the disconnected principal > Select the user > OK
4. You can now login with the username of the disconnected principal and the password created in step 1.

B

bagul.yogesh

1-Visitor

Darren,

we did encounter #4 which was taken care by modifying business process to re-assign task(s) before putting in removal request. Rest we did not encounter.

Yogesh

P

patrickchin2000

1-Visitor

It is commonly that most Windchill Admins don't control enterprise AD forest. I suggest if the user becomes a disconnected principal is to:

Go to Participant Administration

Create a new Windchill userwith the same userid but differnt email and password (admin) like Mike Foster mentioned but only in company.domain.Ldap

Search for disconnected principles which should appear as a list or individual if you know the AD userid

edit the disconnected participants to point to the new Ldap user.

Its like the reverse process of changing Ldap user to AD, you can delete the user in Windchill DS, then the user will become disconnected, edit the disconnected participant to point to the AD user.

If you have a chance to work with your enterprise AD administrator, just change the password and move the user to branch/org ofdiscontinued/non-companychange the password and email toWindchill administrators control.Hopefully, they don't delete users in enterprise AD.

Hopefully that helps,

Patrick

P

patrickchin2000

1-Visitor

I forgot a couple more things:

To continue with Yogesh with reassigning and resetting assigments. Change the user's calenders for running process (non-executed task) and future task to be assigned to a different user.

this way no-watermarks or previous released drawing/documents title blocks will not be affected if the user has left the company. (i.e.PTC_created_by or PTC_modified_by)

Hope that helps,

Patrick

In Reply to Patrick Chin:

It is commonly that most Windchill Admins don't control enterprise AD forest. I suggest if the user becomes a disconnected principal is to:

Go to Participant Administration

Create a new Windchill userwith the same userid but differnt email and password (admin) like Mike Foster mentioned but only in company.domain.Ldap

Search for disconnected principles which should appear as a list or individual if you know the AD userid

edit the disconnected participants to point to the new Ldap user.

Its like the reverse process of changing Ldap user to AD, you can delete the user in Windchill DS, then the user will become disconnected, edit the disconnected participant to point to the AD user.

If you have a chance to work with your enterprise AD administrator, just change the password and move the user to branch/org ofdiscontinued/non-companychange the password and email toWindchill administrators control.Hopefully, they don't delete users in enterprise AD.

Hopefully that helps,

Patrick

D

DarrenStorey

Author

12-Amethyst

Hi Patrick/Mike

We have Windchill 10.1M040, I haven’t tested if Mike’s solution works the same as in 9.1, but I think it’s likely.

com.ricardo.EnterpriseLdap = Active Directory = AD

Are you suggesting the full process for a single leaver event is as simple as?:

1/ Delete user in AD, windchill principal becomes disconnected.

2/ Create new user in DS, with same name and user ID but different email and password.

3/ Find disconnected principal and link to new AD user created in step 2.

4/ Purge disconnected principal.

job done?….

For a leaver, changing their password and AD branch would on the surface seem like the simplest solution. However I have no influence over AD, don’t yet understand the full reasons for deleting AD accounts or the implications to the business for changing established policies. I will be asking though.

Thanks again for your responses so far.

Best regards Darren

In Reply to Patrick Chin:

It is commonly that most Windchill Admins don't control enterprise AD forest. I suggest if the user becomes a disconnected principal is to:

Go to Participant Administration

Create a new Windchill userwith the same userid but differnt email and password (admin) like Mike Foster mentioned but only in company.domain.Ldap

Search for disconnected principles which should appear as a list or individual if you know the AD userid

edit the disconnected participants to point to the new Ldap user.

Its like the reverse process of changing Ldap user to AD, you can delete the user in Windchill DS, then the user will become disconnected, edit the disconnected participant to point to the AD user.

If you have a chance to work with your enterprise AD administrator, just change the password and move the user to branch/org ofdiscontinued/non-companychange the password and email toWindchill administrators control.Hopefully, they don't delete users in enterprise AD.

Hopefully that helps,

Patrick

G

GaryMansell

12-Amethyst

Patrick,

Hi, I am a colleague of Darren who submitted this topic, thanks for your input.

A query about your suggested method of moving an Enterprise LDAP user to Administrative LDAP, if I may?

If I have understood your method correctly, don't you end up with two entries in the Windchill WTUSER table both pointing at the new user Account in Administrative LDAP - and is this a problem or not?

My reasoning:

Best Regards

P

patrickchin2000

1-Visitor

Hi Gary,

There is no purging disconnected principles/participants because what you have done is repair the disconnected principle WTUserID to point to another. Thus, the user is not deleted from Windchill but is no longer used. Since you have actual past released metadata that is linked to drawings, attributes and even watermarks that is instantly updated on a change in Windchill, it is best not to change the value of released artifacts.

It is similar to switching users from WindchillDS to the enterprise AD. The method of reparing disconnected participants prevents any lost of data in users workspaces because they are now controled and cleanned up by the Windchilll Administrators. The new passwords of the user accounts can be given to their reporting manager to be accessed and checked-in by their backup users.

Then when all their work is checked-in, just reset the password and no one can access Windchill with their accounts.

No purging of the Windchill user.

Thanks,

Patrick

In Reply to Gary Mansell:

Patrick,

Hi, I am a colleague of Darren who submitted this topic, thanks for your input.

A query about your suggested method of moving an Enterprise LDAP user to Administrative LDAP, if I may?

If I have understood your method correctly, don't you end up with two entries in the Windchill WTUSER table both pointing at the new user Account in Administrative LDAP - and is this a problem or not?

My reasoning:

Best Regards

V

vmcdaniel

1-Visitor

I found on our system 10.1 M040 the procedure was a little different. I was not able to Edit disconnected participant.

User was deleted from Enterprise AD and disconected in Windchill.

1. Create New User in ORG on directory service com.<company>.Ldap

3. Search for Disconnected User

4. "Reconnect Disconnected Participant" on user to new user (-DS)

5. Cleanup

Cheers!

Show more replies

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded