Is their Active Directory account still active (enabled)?

In order for an account to be enabled in Active Directory, it must have an Active logon status in the EID system. If it is disabled or flagged to require a password change in the EID system, it will be disabled in Active Directory. The EID system will disable an EID after 15 months of inactivity, at which point it is also disabled in Active Directory.

If the account has one of the Affiliations or Entitlements mentioned here, its Primary Group will be Domain Users; otherwise, its Primary Group will be Domain Guests. By default, Domain Guests cannot log onto computers joined to the domain.

Can they still authenticate using EntAuth? (EntAuth is backed by Austin Active Directory)

As long as their Active Directory account is still enabled, they will be able to authenticate using EntAuth, regardless of whether or not they have one of the Affiliations or Entitlements mentioned here that sets their Primary Group to Domain Users. For example: former employees will still be able to log in to review their tax forms for their last year of employment, former affiliates who retain a UTMail account will need to be able to log into the Manage My UTmail Account portal.

The configurations of specific applications behind EntAuth may or may not have further requirements to use them.

When does their account get removed from Active Directory?

An automated process removes Active Directory accounts based on conditions specified here (to sum things up, they are removed after 2.5 years of inactivity). This process is in place to remove any accounts that are no longer needed. If a user’s Active Directory account has been removed, it will be re-created if/when they obtain one of the Affiliations or Entitlements mentioned here. Because the re-created account is a new object in Active Directory, it will not be a member of any groups they remained in at the time of removal.

Are they automatically removed from Active Directory groups?

Users are not automatically removed from groups when they leave the University.

For the most part, groups in Austin Active Directory are owned and managed by the Department that created them. Departments are responsible for maintaining the memberships of their groups, and removing any members that are no longer necessary.
A user may need to be removed from a group if:

• They are no longer at the University

• Their role within your department has changed

• They remain at the University but no longer fall under the intended scope of the group (for example, an employee who leaves your department and is still a current employee working for another department should be removed from groups that give them access to your department’s resources)

How are group memberships managed?

If a group is located in a Departmental OU, its members can be managed by the Department’s OU Administrators using native tools (the Active Directory Users and Computers console, Active Directory Administrative Center, PowerShell). Other Departmental users may have the necessary permissions to edit group memberships based on delegations or the group’s Managed By configuration.

If a group was created in the Department Group Tools OR its Managed By attribute is set along with the Manager can update membership list checkbox checked, its memberships can be managed in the Department Group Tools ( Documentation).

For email Distribution Groups, the Distribution List’s Managers can add/remove members using the Office 365 Management : My Services portal ( Documentation)
A Department’s M365 Managers can also manage the membership of Distribution Lists owned by their employees using the Office 365 Management : My Users portal ( Documentation)

What happens to their M365 Mailbox?

Refer to Eligibility for M365 : What Happens After I leave the University.

What happens if they were a Department OU Owner?

At this time, no action is automatically taken to remove them as owners. Another Department OU Owner should remove them using the Department User Tools ( Documentation).

Audit reports are emailed to Department OU owners monthly. One of the items that appear in this audit is ineligible owners that should be removed.

Are their department user accounts disabled or deleted when they leave the University?

Current:
No action is automatically taken on department user accounts when the assignee leaves the University. Department OU Owners are responsible for disabling or deleting department user accounts when they are no longer needed.

Planned:
Yes, department user accounts (department accounts with the Administrative or Power User account type) are automatically disabled when the EID that claimed the account no longer has one of the Affiliations or Entitlements mentioned here that sets their Primary Group to Domain Users. Department OU Owners are responsible for deleting department user accounts when they are no longer needed.

Are department service accounts automatically disabled or deleted?

No, department service accounts (department accounts with the Service account type) are not automatically disabled or deleted. Department OU Owners are responsible for disabling or deleting department service accounts when they are no longer needed. Department OU Owners are also responsible for keeping the assignees for each department service account up to date. This prevents scenarios such as unexpected access by former employees who leave the University and return as an employee in a different department or as a student.

How are department accounts managed?

Department OU Owners and assignees can manage their department accounts using the Department User Tools ( Documentation).

What about department user accounts being used as service accounts?

Any department user account being used as a service account should be converted to a department service account. This ensures a few key items:

• Department service accounts are not automatically disabled

• Department service accounts can be managed by multiple users

• Department service accounts will remain exempt from any future password expiration policies

Department OU Owners can submit a request to the Active Directory team via Service Now to change a department user account to a department service account.