5.8 The Active Directory Deletion Tool

The Active Directory Deletion Tool allows you to synchronize Active Directory deletions ('Tombstone' markers). Use of this tool requires an administrator to configure a scheduled task which executes the tool periodically. This tool will not function with Global Catalog instances, as they do not provide the necessary Tombstone deleted item information.

The active directory deletion synchronization tool is installed to the following location by default:

C:\Program Files\Intercede\MyID\Utilities\ADDeletionSync.exe

This is a command line tool that you can run on the MyID application server whenever you require it. It takes the following steps:

1. Connect to each of your configured Active Directory servers.
2. Checks for newly-deleted items on each of those servers.
3. Checks MyID for cardholders that match these deleted items.

4. Updates the matching cardholders accordingly.

   If the Disable on removal from directory option on the LDAP page of the Operation Settings workflow is set to Yes, the users are disabled in MyID, and their credentials canceled, resulting in the revocation of their certificates.

To carry this out, the tool must run as a user with sufficient privileges to access the LDAP, and read and update the MyID database; you are advised to use a domain administrator.

You can run this tool on the command line, and (provided the user running the tool has sufficient privileges) it will update any new deletions in the Active Directory that are found in MyID. You are recommended to run the tool from the command line before setting up a scheduled task – the first run may encounter a large number of deletions in the database and it may take longer to process the list on this first run.

Note: The tool is not compatible with Global Catalog Active Directory systems because they do not provide the Tombstone deleted item information needed to synchronize the MyID database.

5.8.1 Scheduled task repeat interval

Before configuring the scheduled task you should consider the repeat interval required. A longer interval will return more deleted records from the Active Directory and the task will take longer to execute, while a shorter frequency will result in fewer records being updated, but a finer grain of control over the synchronization.

We recommend that a 10 minute interval be considered initially, although when large numbers of deletions from Active Directory occur, the tool could end up running again while still executing from the previous timer. The frequency of the task should be monitored to ensure that the frequency of execution is meeting the needs of the system.

Things to consider when deciding how often to execute the task are:

• The number of deletions expected to be processed in each repeat interval.
• The required responsiveness of the whole system to deletions from Active Directory.
• The number of Active Directory servers which will be contacted each time the tool runs.
• The minimum interval for repeats is 1 minute, which can be safely used if deletions from Active Directory are infrequent.

5.8.2 Setting up a Scheduled Task

To set up a scheduled task, use the ADDeletionSync.exe tool in the Utilities folder that is part of your MyID installation. If you have installed MyID in the default location, this is:

C:\Program Files\Intercede\MyID\Utilities\

To set up a scheduled task:

1. Open the Scheduled tasks tool:

   • In the Control Panel, open System and Security > Administrative Tools > Task Scheduler.

   or:

   • From the Start menu, type schedule task into the Search programs and files box and select either Task Scheduler or Schedule tasks. (Both open the same tool.)
2. Click Create Task.

3. On the General tab:

   1. Type a Name for the task. For example, Active Directory Deletion Synchronization.
   2. Add a Description if required.
   3. Click Change User or Group and select a domain administrator.
   4. Under Security options select Run whether user is logged on or not.

4. On the Triggers tab:

   1. Click New.
   2. From the Begin the task drop-down list, select On a schedule.

   3. Under Advanced settings, set the following options:

      • Repeat task every – set the check box, then from the drop-down list select your preferred repeat interval; for example, select 15 minutes.
      • Set the for a duration of option to Indefinitely.
      • If you experience problems with slow directories or databases, you can set the Stop task if it runs longer than option and set a maximum duration.
      • Make sure the Enabled box is selected.
5. Click OK to create the trigger.

6. On the Actions tab:

   1. Click New.
   2. From the Action drop-down list, select Start a program.
   3. Click the Browse button next to the Program/script field.

   4. Navigate to the Utilities folder that is part of your MyID installation. If you have installed MyID in the default location, this is:

      C:\Program Files\Intercede\MyID\Utilities\

   5. Select ADDeletionSync.exe and click Open.
   6. Leave the Add arguments (optional) and Start in (optional) fields blank.
   7. Click OK to add the action.

7. Check the Conditions and Settings tabs to ensure the settings meet with your company policies and procedures.

   You can use the default settings on these tabs.

8. Click OK to add the task.
9. If prompted, enter the password for the domain administrator.

The new scheduled task is now displayed in the Test Scheduler Library. If you need to edit the settings, you can double-click the task. If the task is set up correctly, you can close the Task Scheduler tool.