Block re-using deleted user logins and email addresses

We're looking for a method to keep a record of deleted users and their email addresses, and make sure they are not being re-used on new accounts.

Our email aliases are matching the user logins, and they go by first initial + last name. So it's easy to come up with duplicates, for which ARS' login generator does a good job generating unique logins.

But the login generator is obviously only looking at existing user accounts.

So I'm wondering a) where to store a list of old logins ARS should not be re-using, and b) what's the best way to implement this in the login generation.

I'm guessing the build-in login generator button can't be modified like that. And if creating my own login generator policy script, I'm not sure it's possible to have it that smooth that it would show you the new login during the account creation wizard and lets you adjust the naming to not end up with an email address that ends in a number and stuff like that. With the built-in generator, you play around and generate new logins until it looks ok.

thanks

Felix

  • You still need to have user.sAMAccountName long-time storage repository somewhere.

    (option1) OU=TermnatedUsers - keep all Disabled, Deprovisioned users inside AD domain and never remove. (A lot of customer do it for compliance and legacy reasons)

    (option2) store it in external DB (same HR system).

    ARS Policy - UserID (sAMAccountNAme) generation will be on AR Server-side. in option1) the policy will generate unique sAMAccountName (appending N+1 or another rule).

    In option2 (and 1 in general) you will need to have AR Policy custom script onPreCreate() to generate unique sAMaccountName and query external history-userID storage.