Listed below are the out of the box actions. A given policy can trigger one or more than one action.
This action allows you to add users to static Active Directory (AD) Groups. Only those users who meet the appropriate filters for a particular Active Directory Group will be added. It is important to note that this function does not remove those individuals who no longer meet the filter. It is instead intended to increase performance for instances in which administrators are interested in adding users to AD Groups and not interested in enforcing membership to these AD Groups.
^ back to top
This action allows you to add and/or remove users to and from static Active Directory (AD) Groups. This enables you to enforce that only the appropriate people are members of a particular Active Directory Group. If users are added to an AD Group and do not meet the criteria they will be removed. Likewise, if users are removed from AD groups that do meet the criteria, they will be re-added to the group if they meet the criteria in the future. This provides powerful, automated real-time enforcement of Active Directory group membership.
This action allows you remove user(s) from all Active Diretory Group memberships. Upon execution of the action, the users affected will not be a member of any static Active Directory (AD) Groups.
Custom Actions allow you to extend the ACM product beyond the standard out-of-the-box functionality. This is also frequently referred to as extensibility. Using this action, your custom code is executed which can perform any custom code that you desire.
This action is not limited in its scope and allows organizations to meet its unique requirements. When this action is executed, your custom code (which can be developed in any standard .NET programming language) is executed. This could perform any number of tasks such as calling out to a UNIX or mainframe system, reading from a message queue or even calling out to a workflow engine such as WWF (Windows Workflow Foundation).
The Delete Object action, physically deletes any object meeting the filter you provide. The Delete Object is an action that should be used with extreme caution. Once the object is deleted, it is removed from Active Directory.
The Disable Account action allows you to disable accounts within Active Directory (AD).
The Distribution List Management action was originally designed to meet the higher education market to achieve FERPA compliance. However, there are many other uses for this action for other vertical markets.
This action allows you to email a generic user (any user) when people meet a particular filter. For example, you may want to email a user or set of users when accounts are disabled or deleted in your system. This could be an early detection system, monitoring in real-time for your system.
This action allows you to email the manager(s) for users that meet a particular filter. For example, you may want to email user’s managers whenever the users themselves are locked out in Active Directory. This could be an early detection system or an indication to the manager that they need to take action to unlock their subordinates’ user account.
Email Summary Only, emails a summary list (First, Last Name, User Name, etc.) of the people matching the dynamic group filter.
The Email User action allows you to email the user that meets the particular dynamic groups filter. For example, you can configure this action to automatically email a user when his or her account has been locked. This is useful for informing users of this situation. This is particularly helpful if the account was not locked by the user and perhaps the user’s account has been compromised.
The Enable Account function allows you to enable the accounts in Active Directory (AD) that meet the particular Dynamic Group Filter.
The Export List action allows you to export to a CSV (comma separated value) file, a list of user data.
The Force Password Change allows you to force users meeting the dynamic group filter to change their password at the next log-in. This is exactly to the process of setting this force password change at next login in the Active Directory Users and Computers (ADUC). This action, however, allows you to enforce this across many users in an automated fashion.
The Hide from GAL action will hide users from the Global Address List (GAL) that meet the dynamic group filter. This allows you to enforce this action across many users in an automated fashion.
The Move Object to OU allows you to move objects (often users) to a given OU (organizational unit) when they meet a particular dynamic group filter. This can be useful when you want to move users to another OU after they have been disabled, either manually by an administrator, or via another VIS for ACM step.
The Remove Account Expires enables you to remove the account expires field for any users meeting the dynamic group filter. This is identical to the process of setting this Remove Account Expires in the Active Directory Users and Computers (ADUC). This action, however, allows you to enforce this across many users in an automated fashion.
The Remove All Users from All Groups action enables you to remove all users from all groups. This action is most frequently used when an organization is terminating an employee.
The Remove All Users from All Distribution Groups action enables you to remove all users from all distribution groups. This action is most frequently used when an organization is terminating an employee.
The Remove Users from All Mail Enabled Groups action enables you to remove users from all mail enabled groups.
The Report Listing function enables you to generate an HTML report to the screen of users that meet the dynamic group filter. This allows an administrator to quickly and easily generate on-the-fly HTML reports on multiple Active Directories.
This action provides an administrator with the ability to enforce the business rule of having more than one individual complete a task. For instance, if the same individual writing checks for an organization also has the ability to approve invoices; this would be a toxic combination. In this example, the Separation of Duties function could remove one of these users from the Active Directory Groups or could email a manager to inform the manager that a user has both capabilities.
The Set Account Expires action allows you to set the Account Expires field for any users meeting the dynamic group filter. This is identical to the process of setting this Account Expires in the Active Directory Users and Computers (ADUC). This action, however, allows you to enforce this across many users in an automated fashion.
The Set Passwords to Expire allows you to set the Passwords to Expire field as seen in Active Directory Users and Computers (ADUC) for any users meeting the dynamic group filter to be checked. While this action is identical to the process of setting the Passwords to Expire in the Active Directory Users and Computers (ADUC), this action, however, allows you to enforce this across many users in an automated fashion.
The Set Passwords to Not Expire allows you to set the Passwords Never Expires field for any users meeting the dynamic group filter to be unchecked. This is identical to the process of setting this Passwords Never Expires in the Active Directory Users and Computers (ADUC). This action, however, allows you to enforce this across many users in an automated fashion.
The Unhide from GAL will unhide users from the Global Address List (GAL) that meet the dynamic group filter. This action, however, allows you to enforce this across many users in an automated fashion.
The update Attribute field allows you to update an attribute one set of users that meet the dynamic group filter in an automated fashion. For example, you may want to update the mail attribute for every user in a particular office (example: Delaware@optimalidm.com).