ACME Inc. is a hypothetical telecommunication company. It employs more than 100,000 people worldwide. Due to an economic downturn, the company was forced to off board 40 percent of its workforce in order to move forward under a huge debt load. Some of the employees will be laid off permanently, others will be furloughed.

George is an IT director at ACME, he and his team are tasked with ensuring that these 40,000+ employees are off-boarded efficiently and as smoothly as possible, and this must be done while maintaining a secure and productive environment. George is informed that there will be periodic audits by internal corporate security to ensure this work is done in a secure and compliant manner.

Fred is one of ten IT administrators that works for George. He is assigned to manage the deprovisioning process while other admins handle regular daily tasks and requests. Luckily, ACME uses Active Roles. Fred receives two lists: one contains laid off employees and the other is the furloughed employees list. However, the deprovisioning tasks must take place at midnight that evening.

Fred creates two organizational units (OUs), one for each status of impacted employees. He then moves the respective user accounts in each OU.

Note: To move such large object quantities, Fred can either use a simple Active Roles PowerShell cmdlet or he could use the built-in Sync Service. Either method can read from a .csv import file.

Fred then links his existing deprovisioning policy, entitled ‘ACME Inc. Deprovisioning’ to the ‘Terminated Accounts’ OU. The ‘ACME Inc. Deprovisioning Policy’ is an automated policy that performs the following actions:

  1. Makes account ineligible for logon
    • By disabling the account
    • Setting the account password to a random value
    • Rename the user account
    • Update applicable user attributes
  2. Removes account from all security and distribution groups
  3. Prevents user from accessing mailbox
    • Hide mailbox from the GAL
    • Grant the user’s manager full access to the mailbox
  4. Prevents user from accessing home folder
    • Remove user’s permissions
    • Grant user’s manager read-only access
    • Delete the home folder when the user account is deleted
  5. Moves account to the ‘To Be Removed’ folder
  6. Schedules account deletion in 30 days
  7. Sends deprovisioning-related report to George, the IT director


Fred now needs to create a new deprovisioning policy for those who will be furloughed. He copies the existing deprovisioning policy and renames it to ‘ACME Inc – Furloughed Accounts Policy’ and modifies the policy changing only the option to ‘Does not delete user account’.

All other options he leaves unchanged. He then applies it to the newly created ‘Furloughed Accounts’ OU.

Note: For the deprovisioning of the furloughed accounts, there are many ways to achieve the same result. However, in this case, Fred choses a simple point-and-click approach by using one of Active Roles’ automation workflows. With this method, he configures the search criteria and points it to the ‘Furloughed Accounts’ OU. Selects the ‘Deprovision’ objectmanagement module and schedules the run time to kick off at midnight. Fred can be confident that the workflow will execute the deprovision tasks quickly and securely.

Fred now begins the deprovisioning of the terminated user accounts by simply selecting all the user IDs in the ‘Terminated’ OU and selecting ‘Deprovision’ tab. By implementing such policies via Active Roles, ACME has saved significant time and ensured that all actions occur consistently and without human error.

To manually perform each of the operations described above for 40,000 users would literally take weeks and require multiple levels of help desk and intervention by many IT personnel. By using Active Roles, Fred can complete his tasks in seconds. Without Active Roles, there simply isn’t enough time to be security conscious and thorough. This is the ideal recipe for IT staff to take shortcuts, which leads to risk, vulnerabilities and security gaps.

The next morning, George, the IT director, receives a report of deprovisioned users. He can share this with IT and corporate leadership, as well as at the next corporate audit meeting.

Active Roles saves significant administrator effort and cuts the time it takes to complete this massive task from weeks to just a few minutes without sacrificing security.


You could be also interested in: Corporate Compliance

Back to blog