Is their Active Directory account still active (enabled)?

In order for an account to be enabled in Active Directory, it must have an Active logon status in the EID system. If it is disabled or flagged to require a password change in the EID system, it will be disabled in Active Directory. The EID system will disable an EID after 15 months of inactivity, at which point it is also disabled in Active Directory.

If the account has one of the Affiliations or Entitlements mentioned here, its Primary Group will be Domain Users; otherwise, its Primary group Group will be Domain Guests. By default, Domain Guests cannot log onto computers joined to the domain.

Can they still authenticate using EntAuth? (EntAuth is backed by Austin Active Directory)

As long as their Active Directory account is still enabled, they will be able to authenticate using EntAuth, regardless of whether or not they have one of the Affiliations or Entitlements mentioned here that sets their Primary Group to Domain Users. For example: former employees will still be able to log in to review their tax forms for their last year of employment, former affiliates who retain a UTMail account will need to be able to log into the Manage My UTmail Account portal.

The configurations of specific applications behind EntAuth may or may not have further requirements to use them.

When does their account get removed from Active Directory?

An automated process removes Active Directory accounts based on conditions specified here (to sum things up, they are removed after 2.5 years of inactivity). This process is in place to remove any accounts that are no longer needed. If a user’s Active Directory account has been removed, it will be re-created if/when they obtain one of the Affiliations or Entitlements mentioned here. Because the re-created account is a new object in Active Directory, it will not be a member of any groups they remained in at the time of removal.

Are they automatically removed from Active Directory groups?

Users are not automatically removed from groups when they leave the University, even when their Active Directory account is disabled.

For the most part, groups in Austin Active Directory are owned and managed by the Department that created them. Departments are responsible for maintaining the memberships of their groups, and removing any members that are no longer necessary.
A user may need to be removed from a group if:

• They are no longer at the University

• Their role within your department has changed

• They remain at the University but no longer fall under the intended scope of the group (for example, an employee who leaves your department and is still a current employee working for another department should be removed from groups that give them access to your department’s resources)

How are group memberships managed?

If a group is located in a Departmental OU, its members can be managed by the Department’s OU Administrators using native tools (the Active Directory Users and Computers console, Active Directory Administrative Center, PowerShell). Others Other Departmental users may have the necessary permissions to edit group memberships based on delegations and or the group’s Managed By configuration.

If a group was created in the Department Group Tools OR its Managed By attribute is set along with the Manager can update membership list checkbox checked, its memberships can be managed in the Department Group Tools (📑 Documentation).

For email Distribution Groups, the Distribution List’s Managers can add/remove members using the Office 365 Management : My Services portal (📑 Documentation)
A department’s Department’s M365 Managers can also manage the membership of Distribution Lists owned by their employees using the Office 365 Management : My Users portal (📑 Documentation)

What about departmental department user accounts being used as service accounts?

Service accounts can be assigned to more than one person at a time (although they can only be claimed by one person at a time).
When an assignee has left the University, a Department OU Owner should remove them from the list of assignees of their service account(s), and another assignee should claim the account(s). This prevents them from having control over these service accounts if they ever do return to the University (a former employee in your department may later return as an employee in another department or a student)Any department user account being used as a service account should be converted to a department service account. This ensures a few key items:

• Department service accounts are not automatically disabled

• Department service accounts can be managed by multiple users

• Department service accounts will remain exempt from any future password expiration policies

Department OU Owners can submit a request to the Active Directory team via Service Now to change a department user account to a department service account.