Deleting Active Directory/LDAP user accounts
Active Directory/LDAP user accounts should be deleted from Admin Portal and Active Directdory/LDAP to avoid confusion.
When you delete Active Directory/LDAP user accounts Admin Portal, the account records are deleted from Privileged Access Service, but they are unchanged in Active Directory. These users can still log in to Privileged Access Service using the same Active Directory/LDAP accounts.
When you delete Active Directory/LDAP user accounts in Active Directory/LDAP, those user accounts remain on the Users page in Admin Portal but they can no longer access Centrify Connector. For the connector to detect a user account deletion performed in Active Directory and update the Users page in Admin Portal, each Centrify Connector must have permission to read the deleted objects container in Active Directory. You can provide the necessary permission by running the following commands on each connector.
If you do not have the necessary permissions to change the permissions of the deleted objects container, then run this command:
dsacls "CN=Deleted Objects,DC=<EXAMPLE>,DC=<COM>" /takeownership
The following command grants the Centrify Connector permission to read the deleted objects container in Active Directory:
dsacls "CN=Deleted Objects,DC=<EXAMPLE>,DC=<COM>" /user:administrator@<EXAMPLE.COM> /passwd:* /g <EXAMPLE>\<MACHINENAME>$:LCRP /I:T
- Deleting an LDAP Directory Service invalidates all of the users associated with that LDAP. You can not repair this by creating a new LDAP Directory Service with the same connection parameters, as the new Directory Service will be considered a different Directory Service regardless of the connection parameters. All user-specific elements must be re-created -- this includes OATH tokens, user security questions, role memberships - among other things.
- If an LDAP Directory Service is deleted, the users associated with that Directory Service are not automatically removed. They must be removed manually from the Admin Portal.