Skip to main content
12-Amethyst
January 14, 2014
Question

What do you do with the AD accounts of users who leave employment of your company?

  • January 14, 2014
  • 15 replies
  • 2947 views

Like many others, we authenticate Windchill users from Active Directory. When an employee leaves the company, our IT policy is to delete their account in AD. Unsurprisingly this causes several issues in Windchill.


Does anybody else follow this practice, and if so have you implemented a process or configuration change that ensures user information persists in Windchill after the AD account is deleted.


The obvious solution is to not delete the AD accounts of leavers, rather mark them inactive.


Without digging too deeply into technical details, I would be interested to hear some pros and cons of different strategies on this topic.


Thanks Darren

15 replies

12-Amethyst
January 22, 2014

Ok I have this working now, looks like I was making a silly mistake somewhere along the line.



  1. Create new equivalent user in WDS console

  2. Works even if DS user ID is identical to that which was used in AD (no need to append).

  3. Thanks to Mike Forester, Patrick Chin and Vaughn McDaniel for there help and contributions.


    Darren

21-Topaz I
January 22, 2014
What would happen if that user would come back to work for you? We've had that happen a few times over the years.

Steve G
12-Amethyst
January 22, 2014

Stephen


Lets assume the user returns to employment and uses the same UID as before.



  1. They would now be able to log into Windchill but only by using the password stored in their WDS account.

  2. Regards


1-Visitor
January 22, 2014
Thanks Darren

Yeah, I was not using the WDS console, my procedure was using the Windchill ORG Participant Administrator.

Vaughn
1-Visitor
January 22, 2014

You are very welcome guys. It is hard to keep up with the changing of the UIs of Windchill but the core process remains the same.


With the question if the person returns, just do the reverse by:



  1. deleting the user in the WindchillDS people structure.

  2. reactivate/re-create the user in AD

  3. The user in Windchill will appear as disconnected in the Participant Administration

  4. then follow the process based on your windchill version by "Reconnect Disconnected" or edit/repair disconnected to point to the AD userid/samaccountname/principlename.

  5. Cleanup (wow this is new in 10.1 M040)

Sounds good.


Patrick




In Reply to Vaughn McDaniel:


Thanks Darren

Yeah, I was not using the WDS console, my procedure was using the Windchill ORG Participant Administrator.

Vaughn