Skip to main content
15-Moonstone
September 15, 2014
Question

Managing Users

  • September 15, 2014
  • 16 replies
  • 13832 views
Hi,

For last 7+ years in Windchill Production at Alcon, we stored Users & Groups information in Windchill Active Directory. Since June 2014, we have moved to our Corporate Active Directory. I would like to know how other companies handled users who have left the company. There are few things we have discussed internally, but would like to know more from the user community.

Process 1:

1) User ABC left the company.

2) It becomes disconnected principal in Windchill

3) Delete user ABC from Windchill

Process 2:

1) User ABC left the company

2) Associate user ABC to a new local user something like ABC - Deactivated which is only existing in Windchill Active directory.

I prefer process 1 stated above. Only issue with that I can foresee is we cannot search on what all activity user ABC has done in Windchill before leaving.

Process 2 gives advantages on searching on this user, because it is not disconnected anymore. However we are altering history here. Everywhere the user is replaced with ABC - Deactivated.

Let me know how it is handled at your end.

Thanks,

Preeti

16 replies

12-Amethyst
September 15, 2014
Some clarity would be good here.

I know what "Microsoft / Windows Active Directory" is and what
"Windchill DS (Directory Services)" is.

I don't have any idea what "Windchill Active Directory" is.
15-Moonstone
September 15, 2014
Jess, yes my bad, replace Windchill Active Directory with Windchill DS 🙂

What is your recommendation on handling users who have left the company?

Thanks.
12-Amethyst
September 15, 2014
I'm a developer, not a system administrator or deployment expert, so I
don't feel I have sufficient experience to be recommending approaches here.

I just wanted to be sure that we were all just clear enough on
terminology to be sure we're talking about the same thing 🙂

1-Visitor
September 15, 2014
In my experience, people who leave the company do not get their user account deleted in AD. It gets disabled or has the password changed etc. This is due to various reasons that are external of Windchill. In Windchill, the user typically gets removed from groups and deleted.


Regards,
[cid:image001.gif@01CFCB30.A000F600]

Stephen Vinyard
Director of Customer Success
1-Visitor
September 15, 2014
This issue is covered very well in this forum.
Bottom line is you don't delete users.
History, which is or can be very important in a CM system, is preserved.


- Disable in corporate LDAP

- Remove from all groups/roles/permissions.

- Add to site-context group "Deactivated Users". This was suggested to me by PTC. For licensing auditing, these users won't be counted.

joe bell
GSIMS Administrator
GPS Sustainment Information Management System
719-572-2890
bellj@gpssims.com<">mailto:bellj@gpssims.com>
20-Turquoise
September 15, 2014
Preeti: Similar situation here except we went from WindchillDS to OpenLDAP (for the users). We keep old users forever in order to preserve the history. Not only in Windchill but in "conventional" filesystems also. We have attributes in OpenLDAP that we can filter on to prevent logging in however let
Windchill still see the old users.

The following describes these attributes:

* gpRoleDN
o Does the user have an active Windchill Role?
o In other words can they login to their windchill account?
o apache uses this as a filter to determine if the user can login to Windchill
* gpWindchillUser
o Is the user a "Windchill" user?
o in other words has the user ever had or currently has an active Windchill role?
o OpenLDAP Windchill InfoEngine adapter uses this as a filter for finding users

In apache we filter on the gpRoleDNattribute to determine if users can login to Windchill. In the OpenLDAP adapter definition for Info*Engine Administration we filter on the gpWindchillUser attribute. This can prevent users from logging in however Windchill it's self can still "see" the users.This
also gives us the flexibility of locking a current user out of Windchill for whatever reason.

1-Visitor
September 15, 2014
History isn't lost if Windchill user is deleted. I don't disagree with any of these points though. If you delete a user and then review a signoff or historical record of something they did it will say "Steve Vinyard (deleted)"


Regards,
[cid:image001.gif@01CFCB30.A000F600]

Stephen Vinyard
Director of Customer Success
1-Visitor
September 15, 2014
Ah. Yes you are right.
I was thinking of the other reason we don't delete users:
We have had many instances of users leaving and coming back years later. Their history, documents checked out, and even unfinished assignments are intact!

joe bell
GSIMS Administrator
GPS Sustainment Information Management System
719-572-2890
bellj@gpssims.com<">mailto:bellj@gpssims.com>
BenPerry
15-Moonstone
September 15, 2014
I also don't think you can execute searches based on deleted users too. So, for example, I cannot search for "CAD files" created by "Steve Vinyard" between "date1" and "date2". Isn't that true?

Ben
23-Emerald IV
September 15, 2014
Searching by deleted user works just fine. (10.2 M020)

[cid:image002.jpg@01CFD107.61AA7110]
[cid:image003.jpg@01CFD107.61AA7110]
[cid:image004.jpg@01CFD107.61AA7110]
[cid:image013.jpg@01CFD107.61AA7110]