Skip to main content

Automated Account Cleanup Overview

Automated account cleanup enables administrators to systematically deactivate and retire stale user accounts based on organizational security policies. This capability eliminates manual account management processes while providing approval workflows and safety mechanisms.

How Automated Cleanup Works

The automated cleanup process identifies stale accounts through configurable criteria, moves them through approval workflows, and ultimately removes them from directory systems. The process includes multiple safeguards:

  1. Identification – Query-based collections (SetGroups) identify accounts meeting staleness criteria (inactive periods, disabled duration, or last login thresholds)
  2. Notification – Managers and administrators receive notifications of pending account terminations
  3. Approval – Designated approvers review and authorize account deactivation through approval tasks
  4. Staging – Approved accounts move to designated organizational units (for directory systems with OUs) and become disabled
  5. Termination – After a configured holding period, approved accounts are permanently deleted

For account stores without organizational units (such as cloud directories), accounts skip the staging step but follow the same identification, approval, and termination workflow.

Key Components

Workflows

Three interconnected workflows manage the cleanup lifecycle:

Submit Account Terminations
Permanent workflow that claims accounts from enabled account stores, processes them according to configured thresholds, moves accounts to staging locations (where applicable), and initiates approval workflows when thresholds are exceeded.

Submit Account Terminations Approval
Creates approval tasks and routes them to designated management roles. Approvers must explicitly select accounts for termination before processing continues.

Terminate Account Advanced
Claims approved accounts and executes deletion operations. Sends deletion notifications to managers and administrators based on workflow configuration.

Query-Based Collections (SetGroups)

Three default SetGroups define account classification at different processing stages:

AccountGetPendingTerminationBeforeProcessing
Identifies accounts pending termination that have not yet been processed. Typical criteria include accounts inactive for specified periods (default: 7,950 days) or disabled beyond configured thresholds (default: 8,000 days) that have not been moved to staging locations.

AccountGetPendingTerminationNotProcessed
Contains accounts notified of pending termination but not yet moved to staging. These accounts have received notification and await further processing.

AccountGetPendingTerminationProcessed
Contains accounts ready for final termination. These accounts have been moved to staging locations (where applicable), disabled for the configured period (default: 30 days), and approved for deletion.

Default criteria can be customized to align with organizational security policies. Organizations implementing cleanup across multiple directories can create additional SetGroups with directory-specific criteria.

Configuration Parameters

Account Store Settings

  • Directory Clean Up Enabled – Enables the Submit Account Terminations workflow to process the account store
  • Report Only Mode (No Changes) – Generates reports of cleanup actions without executing changes; sets all matching accounts to Termination Pending status
  • OU to Move Stale Accounts – Specifies the organizational unit for staging accounts before deletion (Active Directory and LDAP only)

Resource System Parameters

  • ApprovalApproverManagementRoleGUID – Management Role GUID for approval notifications
  • SubmitAccountTerminationsApprovalInitiatorPersonID – Person ID for initiating approval workflows
  • TaskApprovalPendingStatus – Boolean indicating whether approval tasks are pending (set automatically by workflows)
  • TerminationAccountAdvancedInitiatorPersonID – Person ID for initiating termination workflows
  • TerminationBeforeProcessingSetGroupGUID – SetGroup GUID for pre-notification accounts
  • TerminationNotProcessedSetGroupGUID – SetGroup GUID for accounts awaiting processing
  • TerminationProcessedSetGroupGUID – SetGroup GUID for accounts ready for termination
  • ThresholdOnAccounts – Maximum number of accounts processed simultaneously per account store

Workflow Parameters
Each workflow includes parameters for notification templates, management role assignments, timing configurations, and behavioral settings. These parameters control email notifications, approval routing, and processing thresholds.

Report Mode Capabilities

Report Only Mode generates reports of what the directory cleanup process would do without executing changes. When enabled, all account processing steps are ignored and accounts meeting the criteria are set to AccountOrganizationStatusID of TerminationPending.

Process Flow

The automated cleanup process involves three workflows that work together to identify, approve, and terminate stale accounts.

Submit Account Terminations Workflow

This permanent workflow claims account stores where CleanUpEnabled is set to true and retrieves SetGroup GUIDs from Resource System configuration settings to process accounts in the following groups:

  • AccountTerminationBeforeProcessingSetGroupGUID – Identifies people needing notification of pending account moves and disabling
  • AccountTerminationNotProcessedSetGroupGUID – Contains accounts to be moved and disabled
  • AccountTerminationProcessedSetGroupGUID – Contains accounts to be terminated (processes one account store at a time)

The workflow checks whether CleanUpReportModeOnly is set to true on the account store. If enabled, account processing steps are ignored and the account's AccountOrganizationStatusID is set to 3 (TerminationPending), logging what the workflow would do without executing changes.

If Report Mode is disabled, the workflow validates the OU specified by CleanUpStaleAccountOU has a valid external OrgZone (where applicable for Active Directory account stores). If the setting is invalid, accounts are not moved to a staging OU before being disabled and marked for termination.

When the number of accounts reaches the threshold specified in the ThresholdOnAccounts Resource System configuration setting, the SubmitAccTerminationsApproval workflow is invoked. Otherwise, accounts are moved to the OU specified by CleanUpStaleAccountOU (where applicable).

If the DisabledAccountOnMove workflow parameter is set to true, accounts are disabled when moved. The AccountOrganizationStatusID is set to 5 (Transfer) and the TransferDate is set to current date and time.

Emails are sent to managers and administrators after accounts are moved using the EmailTemplateManagerMoveNotification and EmailTemplateAdminMoveNotification templates. The AdminManagementRoleGuids workflow parameter determines which administrators receive notifications.

After emails are sent, an AssigneeNotification is inserted for each account to prevent duplicate notifications before moving accounts.

Accounts claimed for termination are processed by invoking the Terminate Account Advanced workflow.

Submit Acc Terminations Approval Workflow

This workflow creates an approval task for accounts belonging to the Management Role specified by the ApprovalApproverManagementRoleGUID parameter. At least one user in the Management Role must select and approve each account for termination.

When a task is created for an account store, the TaskApprovalPendingStatus Resource System configuration setting is set to true, preventing duplicate task creation.

If the task is approved, all accounts selected from the Task Approval Form are disabled and moved, and the TaskApprovalPendingStatus setting is reset to false.

Terminate Account Advanced Workflow

This workflow claims all accounts approved for termination, moves and terminates each one, and sets the AccountOrganizationStatusID to 2 (Terminated).

After an account is terminated, the workflow checks whether the NotifyManager and NotifyAdminManagementRole parameters are set to true.

If both parameters are enabled, the workflow uses the EmailTemplateManagerDeletionNotification and EmailTemplateAdminDeletionNotification parameters to send emails to managers of terminated users and all administrators belonging to the Management Role specified by AdminManagementRoleGuids.