Understanding Active Directory Automatic User Management

Overview

When Active Directory (AD) Sync is run with the "User status mirrors Active Directory (Automatic)" option, it creates groups and users in Secret Server to mirror the organization's configured AD groups and users. A Secret Server user is created or enabled for every enabled AD user in the selected groups.

Thus, every enabled AD user in every synched group consumes a Secret Server license, whether or not they use Secret Server. As a result, an organization can end up paying for far more Secret Server licenses than they need.

AD Automatic User Management addresses this issue by automatically disabling the accounts of users who have not logged in to Secret Server in a specified number of months. This saves unnecessary licensing costs as inactive users do not count against the number of user licenses required by Secret Server.

You can configure the setting on the Edit Active Directory Configuration page. See Configuring Active Directory There is a checkbox to enable or disable the feature and a textbox to set the number of months before a user is auto-disabled. The default is three, but you can set it from one to 12.

Newly-added users remain enabled until the first synchronization after the configured number of months have passed. When a user whose account has been disabled by this feature attempts to log in they automatically have their account enabled, provided there are licenses available.

Examples

Example One

  1. Maria joined the company today.

  2. The next AD synchronization creates a Secret Server account for Maria.

  3. Maria never logs in to Secret Server because she does not need it for her job.

  4. Once the defined number of months have passed, the next AD synchronization disables Maria's Secret Server account.

  5. The Secret Server license used by Maria's account becomes available for use.

Example Two

This only pertains to users who have never logged into Secret Server and their account was disabled (never enabled). It does not apply to previously enabled users who have been disabled due to inactivity.
  1. Joe gets added to Secret Server but never logs in.

  2. The defined number of months later, Automatic User Management disables his account, freeing his license.

  3. Joe gets promoted to a job that requires Secret Server.

  4. Joe logs into Secret Server.

  5. His account is automatically re-enabled, and he now takes up a license.

  6. Joe gets demoted to his old job, which does not require Secret Server.

  7. A defined number of months later, Automatic User Management disables his account, and the license is freed up once again.

  8. Joe has no idea any of this has happened—the automated process is hidden from him.

Example Three

  1. Rupert logs in to Secret Server several times per month.

  2. The defined number of months for Automatic User Management to disable his account is never reached.

  3. Rupert's account stays current and his license remains his. The entire process is invisible to Rupert.