ADSelfService Plus in action
Free up unused ADSelfService Plus licenses
As employees enter and leave an organization, there may be a substantial amount of stale user accounts in Active Directory. Stale accounts should be removed from the purview of ADSelfService Plus so that the license assigned to them can be reclaimed and assigned to other users who need it. The Restrict Users feature in ADSelfService Plus helps you remove stale accounts either automatically or manually.
As the name suggests, this feature not only frees up the licenses assigned to these accounts but also restricts them from accessing ADSelfService Plus in the future. Restricted users' enrollment data is also automatically removed.
Types of accounts that can be restricted
Here are the types of user accounts that can be restricted using the Restrict Users feature:
- Account Expired - Accounts that have expired in Active Directory.
- Account Disabled - Accounts that have been disabled by the administrator.
- Inactive Users - Accounts that have not logged in to the domain for a specific period of time.
- Deleted Users - Accounts that had been deleted from Active Directory within the past 90 days.
- Unowned Licenses - Accounts that had been deleted from Active Directory before 90 days.
- Service Accounts - Active Directory service accounts.
- Smart Card Users - User accounts that use a smart card for authenticating their workstations.
Configuring the Restrict Users feature
There are two ways to use this feature:
- Manual method: Selecting stale user accounts and revoking their ADSelfService Plus licenses.
- Automatic method: Creating a scheduler that will automatically find stale user accounts and free up unused licenses at regular intervals.
To restrict stale accounts manually:
- Go to Admin > License Management > Restrict Users.
- In the Restricted Users section, click Restrict Users.
- The Restrict Users section will open. Specify the domain using the Select Domain drop-down menu. You can also use the OUs option to select Organization Units.
- Select the stale user account type using the Account Type drop-down menu. In the case of Inactive Users and Deleted Users, select the number of days for which the user accounts have been inactive or deleted respectively.
- Click Generate.
- A list of stale Active Directory user accounts is generated.
- From this list, select the accounts you want to restrict. You can select individual accounts or select all the accounts at once.
- Click Restrict.
To restrict stale accounts automatically:
- Go to Admin > License Management > Restrict Users.
- Click Schedule to Restrict/Unrestrict. The Schedule to Restrict/Unrestrict section will appear
- Select the Restrict tab and click Add New Scheduler.
- Enter a Scheduler Name.
- Select the domain using the Select Domain field and use the OUs option to select the desired Organizational Units.
- In the Select Account Type section, specify the type of stale user accounts that you want to restrict.
- In the Select Duration section, specify the frequency of the scheduler.
- Use the Notify Admin option to select an email ID to which the restricted users list will be sent periodically.
- Click Save.
- Now according to the frequency set, the scheduler will automatically run and restrict the stale Active Directory user accounts.
Restricting stale user accounts allows organizations to reuse the ADSelfService Plus licenses assigned to these accounts thereby saving money and attaining maximum benefit from the licenses purchased.