This is an old revision of the document!

Systems - AD: Remove group membership when the contract is excluded

By default, when a contract is excluded, IdM will not remove the account's group membership but only set the account as inactive. However, it is possible turn this behavior on for selected roles.

As a result, when an identity's contract becomes inactive, this role will be removed from the contract and the account will stop being a member of the respective group in AD.

Change behavior for individual roles

If you don't want all the roles to behave this way, you can set this behavior for each role separately. First, go to the detail of the role in IdM by clicking the magnifying glass next to the role's name.

In the detail, go to Systems.

Open the detail by clicking the magnifying glass, you will see this.

Set it on for all roles in the AD synchronization workflow

  • by doischert