17
Views
4
Comments
[AD Import] Users automatically becoming deactivated
Forge component by Steven Schultz
5
Published on 09 Jul 2019

Hi all,

In the recent past, we've had two separate users have their OutSystems accounts mysteriously deactivated. Since we're using this component, we very infrequently use the OutSystems Users application in the environment in question, and it's a relatively small group of people supporting the environment. This leads me to believe that some automated process was responsible for deactivating the accounts.

I've opened this post for the issue, but being unsure as to whether this automated process is native to OutSystems or to AD Import, I decided to post here as well; is anyone familiar with any AD Import process that may be deactivating user accounts?

Thanks,
Kirk

Rank: #17299

I should additionally mention that in both cases the users are currently active in AD, and there's no evidence they were ever inactive in AD.

Rank: #46274

I opened an OutSystems support case, in which they said:

"...there is nothing in the Platform itself that automatically disables the users. What can be happening is either something in your application code or in the ADImport forge component that is disabling the users. As this is a non-supported component since it was not developed by OutSystems, we have no tools at this point to assist you as we do not know how this component is developed. The only way to get assistance is by contacting the Developer, that you already told us that you did."

Rank: #20267

Yeah they're not going to help with forge components not created by them. Did you check any audit history on the AD accounts to see if they were accidentally disabled, or perhaps something like an account lock out triggered a flag?  Maybe they were removed from a specific group?  The logic as I remember in the component is pretty straightforward, so I would think something happened where it couldn't find that account. 

Rank: #46274

Thanks Steve,

While I look into any audit history that may exist, one of the issues is that while AD Import seems to be setting the users to inactive, when the timer is run again and the user's account is for sure properly configured AD Import is not reactivating the user's account. As such, even if I root cause each individual case, it will still likely remain a manual activity to reactivate users, unless there is a setting that can be configured in AD Import to reactivate inactive user accounts when they are again returned by AD? If no such setting exists, is that something that could be integrated?