@JoePriest 

Joe,

We have just recently (a couple weeks ago) added Active Directory to our Windchill installation.  But I am VERY interested in this converstation, so I can give you the answers I have so far below.

If you don't delete Windchill Disconnected users, what do you do with them?
Historically I've changed their password, deleted their email, renamed them to Jane Doe [Deactivated], and moved them to a Deactivated Users group that has restricted permissions.

We think that we would need to create a new Windchill DS user that we would reconnect them to.
Do you mean if they are reactivated somehow? I'm not sure what you mean here.

We would have to alter the display of the name to indicate that it's inactive.
This is something that I' don't know what happens to AD users that are disconnected.

We would also remove them from all groups which is good enough for us as we don't put individuals into profiles.
I think our Deactivated Users group would work for this. We could put them in there.

How has your process worked for you?
Before AD it's worked very well.

How is your process different?
We have contractors that we reactivated by editing their Windchill DS accounts and moving them back to the groups where they had their permissions restored.

What challenges do you have with that process?
I had to get hooked up with the HR termination process, but after that it's been fine.

We are currently on Windchill 11.0 and this licensing issue on 11.1 is not very appealing.

James

@LewisLawrence 

The main reason we have kept deactivated users in the past was because they had created CAD or other content and we wanted their names to remain on that content history. 

However you stated "nicely marked as deleted in the user interface."  Since I'm new to Active Directly, could you say more about this?  Do the Users remain on the history but appear as deleted somehow?

Also, I'm very interested in 'un-delete' also, because we have contractors that come and go from our system.

James

Deleting a user from Windchill doesn't remove all trace of them from the system.  Their entry in the WTUser table continues to exist, but they are no longer linked to an LDAP account (Windchill DS or Active Directory), they no longer have a personal cabinet (think workspaces), and they cannot participate in workflows or be a member of a group.

@TomU 

That looks really good Tom, thanks!

The names still show up in the user interface, they clearly show deleted and you can still search for them and use them in Advanced search etc. An added bonus is that they cannot receive any new tasks in the system.

The only weird thing is that upon deletion the username is changed;

"lewis" would become "{wt.org.WTUser:XXXXXXXXX}lewis" where XXXXXXXXX is the internal database ID for the user account.

This also means (I think because of the curly brackets) that to search for the user you have to use wildcards; "*lewis*" would return the account above after it has been deleted, but the full txt above would not. Only a nuisance if you need to search up the user for an advanced search or similar.

If you have a test system you could easily do some experimentation.

https://www.ptc.com/en/support/article?n=CS200852&language=en&posno=1&q=restore%20deleted%20user&source=search

Hi Lewis,

I work with Joe Priest, we're curious about the removal process/procedure you described. Are there out of the box admin tools to identify the user's workflow tasks, are you using standard search functionality, or did you develop custom reports? Have you automated this process, it seems that it will be laborious to perform on a regular basis?

With regards to not deleting users, we have found and issue where deleting the users leaves resolved tasks blank in our custom Impact Assessment within our CR process, which is not acceptable in our environment.

I am not aware of any out of the box admin tools to move tasks around, we developed a command line utility that does it. We added a role "Task Administrator" to our contexts and by default anyone in there gets added to the role for the workflow/object in place of the disconnected user, many contexts have more than one Task Administrator. The only stumbling block with using this role approach is that once a task has been "Accepted" by the user I don't believe it is possible to "Un-accept" on their behalf. Those tasks you have to re-assign and you can only re-assign a task to one person. Before we had the utility we used a report template to return all the tasks for a user, then navigated to the object and updated the roles or re-assigned tasks as needed.

There were a few reasons we started this user clean up;

• Reducing Support, we often had users following up on "lost" things
• Licensing, we only have user accounts in the system for "Active" users
• Internal Audit, our internal security teams don't like accounts living on in systems after a user has departed the organisation
• Trying to reduce the number of old workflows we have running.
  I know what we did helped with that, but it is really an ongoing issue for us and probably most Windchill customers. Issues come at upgrade time when you need to retest processes, if there are old processes running then you really need to test those execute in the new system too. We have had Windchill running since 2002, for our 10.1 upgrade back in 2013 we forced anything older than 9.1 (it was in production for a couple of years) to be completed or we killed it off. Where possible newer processes we deploy have an automatic routing of "decline/fail/end/cancel/whatever" after X days to avoid this situation going forward, but we still have an issue with old/stale running processes that I don't have a fix for.

Regards your custom impact report "losing" the user details, I suspect you need to review how you are returning the user for that report. The user object is still there, just marked as deleted and is probably being filtered somehow when you don't want that.