Open Discussion

Expand all | Collapse all

User Reactivation without Org access

  • 1.  User Reactivation without Org access

    Posted 11-25-2019 13:01
    We are currently using LDAP Sync to activate / deactivate users.    However there are times where there is a staff member that leaves the company causing their account to be deactivated, and we wall to restore files from their machine.

    We would like to allow any of our service staff to be able to re-activate an account and move it to a passive Organization so that we can restore files off of it.  However the only permissions we are seeing that allows this are "Cross Org Admin" or "Customer Cloud Admin"

    We prefer not to give this high security to all team staff, preferably not the rights to modify org settings.

    The only alternatives I see is only allowing certain staff to have this access, or to create a tool to "Active and then Move Users".

    How is everyone handling this?

    Ben Horbul


  • 2.  RE: User Reactivation without Org access

    Posted 11-26-2019 09:48
    In our organization, we have a "Disabled Users" and "Departments" OU in Active Directory.

    Anytime a user profile is disabled in Active Directory or moved into the Disabled Users OU, LDAP synchronizes between our code42 authority server and our domain controller every 12 hours and if the user has an active code42 account, will deactivate that account upon learning that the AD profile is disabled.

    Say a sales rep in the company needs files from a past user's territory that they are now responsible for.

    Using the "AD Users and Computers" program included in RSAT for Windows, we re-activate the user in Active Directory (while resetting their password) and move them outside of the Disabled Users OU (if applicable). Anyone that is part of the "Domain Admin" group in AD can do this.

    Then you can manually activate the profile through the authority server's admin page and it should stay active, allowing you to restore files to that sales rep's computer. You will need to apply specific admin rights on the authority server for someone to do this.

    Don't forget to deactivate the profile again, after any files restores from its devices are completed.

    Mitchell Aubitz
    Desktop Support Specialist
    Eden Prairie MN