Is their Active Directory account still active (enabled)?

In order for an account to be enabled in Active Directory, it must have an Active logon status in the EID system. If it is disabled or flagged to require a password change in the EID system, it will be disabled in Active Directory. The EID system will disable an EID after 15 months of inactivity, at which point it is also disabled in Active Directory.

If the account has one of the Affiliations or Entitlements mentioned here, its Primary Group will be Domain Users; otherwise, its Primary Group will be Domain Guests. By default, Domain Guests cannot log onto computers joined to the domain.

Can they still authenticate using EntAuth? (EntAuth is backed by Austin Active Directory)

As long as their Active Directory account is still enabled, they will be able to authenticate using EntAuth, regardless of whether or not they have one of the Affiliations or Entitlements mentioned here that sets their Primary Group to Domain Users. For example: former employees will still be able to log in to review their tax forms for their last year of employment, former affiliates who retain a UTMail account will need to be able to log into the Manage My UTmail Account portal.

The configurations of specific applications behind EntAuth may or may not have further requirements to use them.

When does their account get removed from Active Directory?

An automated process removes Active Directory accounts based on conditions specified here (to sum things up, they are removed after 2.5 years of inactivity). This process is in place to remove any accounts that are no longer needed. If a user’s Active Directory account has been removed, it will be re-created if/when they obtain one of the Affiliations or Entitlements mentioned here. Because the re-created account is a new object in Active Directory, it will not be a member of any groups they remained in at the time of removal.

Are they automatically removed from Active Directory groups?

Users are not automatically removed from groups when they leave the University.

For the most part, groups in Austin Active Directory are owned and managed by the Department that created them. Departments are responsible for maintaining the memberships of their groups, and removing any members that are no longer necessary.
A user may need to be removed from a group if:

• They are no longer at the University

• Their role within your department has changed

• They remain at the University but no longer fall under the intended scope of the group (for example, an employee who leaves your department and is still a current employee working for another department should be removed from groups that give them access to your department’s resources)

How are group memberships managed?

If a group is located in a Departmental OU, its members can be managed by the Department’s OU Administrators using native tools (the Active Directory Users and Computers console, Active Directory Administrative Center, PowerShell). Other Departmental users may have the necessary permissions to edit group memberships based on delegations or the group’s Managed By configuration.

If a group was created in the Department Group Tools OR its Managed By attribute is set along with the Manager can update membership list checkbox checked, its memberships can be managed in the Department Group Tools ( Documentation).

For email Distribution Groups, the Distribution List’s Managers can add/remove members using the Office 365 Management : My Services portal ( Documentation)
A Department’s M365 Managers can also manage the membership of Distribution Lists owned by their employees using the Office 365 Management : My Users portal ( Documentation)

What happens to their M365 Mailbox?

Refer to Eligibility for M365 : What Happens After I leave the University.

What happens if they were a Department OU Owner?

At this time, no action is automatically taken to remove them as owners. Another Department OU Owner should remove them using the Department User Tools ( Documentation).

Audit reports are emailed to Department OU owners monthly. One of the items that appear in this audit is ineligible owners that should be removed.

Are their departmental user accounts disabled or deleted when they leave the University?

At this time, no action is automatically taken on departmental accounts when the assignee leaves the University.
Department OU Owners are responsible for disabling or deleting departmental accounts when they are no longer needed.

How are departmental accounts managed?

Department OU Owners can manage their departmental accounts using the Department User Tools ( Documentation).

What about departmental service accounts?

Service accounts can be assigned to more than one person at a time (although they can only be claimed by one person at a time).
When an assignee has left the University, a Department OU Owner should remove them from the list of assignees of their service account(s), and another assignee should claim the account(s). This prevents them from having control over these service accounts if they ever do return to the University (a former employee in your department may later return as an employee in another department or a student).