Active Directory Questions

Unknown

Active Directory Questions

Unknown

We will be implementing Active Directory sync within a client project. The end client is asking a couple of specific questions that I did not see in the documentation.

1 - is it possible to disable logging in without Active Directory sync?

2 - related, If a user is manually created, put in groups, will the AD sync remove them from the groups when the job next runs?

Unknown

1 - is it possible to disable logging in without Active Directory sync?
[ul][li]Can you confirm the use case for this? The default admin account would still have to be enabled, but all other user accounts can have an authentication type other than Password (excluding SYSTEM, GUEST, & EXTERNAL SYSTEM).[/li][/ul]2 - related, If a user is manually created, put in groups, will the AD sync remove them from the groups when the job next runs?
[ul][li]No, AD sync doesnt alter local accounts in this case, it looks for AD account type (authentication_type = ActiveDirectory) - non-AD accounts should remain untouched.[/li][/ul]
[b]
[/b]
[font=Roboto, Arial, Helvetica, sans-serif]Manually created accounts can be forcefully disabled by creating a Scheduled Job which fetches all Accounts with Password as the value for their authentication_type property (excluding the local admin account, SYSTEM, GUEST, & EXTERNAL SYSTEM), setting their is_active and can_use_portal properties as 0/False, and saving them. Groups can be synced from Active Directory, but their permissions will have to be configured for the Decisions side.[/font]