Quarantined Users
Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
If you move or delete a user account in your LDAP database, the status of the linked AuthPoint user account changes to Quarantined. Quarantined user accounts do not use a user license. When a user account becomes quarantined, the license previously used by that user account becomes available.
In the users list, quarantined user accounts display a yellow icon next to the user name.
Quarantined users cannot authenticate until you restore them or move them back to their original location in the LDAP database. If you moved the user account intentionally, you can create a new query to sync the user to AuthPoint and remove the Quarantined status. For more information, see Resync Quarantined Users.
If you deleted the user account intentionally, you must manually delete the user in AuthPoint or enable the Quarantined Users Cleanup setting to automatically delete quarantined users. For more information, see Remove Quarantined Users.
Remove Quarantined Users
You can enable the Quarantined Users Cleanup setting to automatically remove LDAP synced users that become quarantined after they have the Quarantined status for a specified amount of time.
To delete an LDAP user in AuthPoint, we recommend that you remove the user from their AD or LDAP group to give them the Quarantined status in AuthPoint, then delete the user in AuthPoint.
To configure AuthPoint to automatically remove quarantined users:
- From the AuthPoint menu, select Settings.
- Select the Automatically remove quarantined users check box.
Additional settings appear. - From the Remove quarantined users after drop-down list, select how long users have the Quarantined status before they are automatically removed.
For LDAP user accounts that are already quarantined when you enable this feature, AuthPoint accounts for the time since the user status changed to Quarantined.
For example, you configure AuthPoint to automatically remove quarantined users after 60 days. If a user status changed to Quarantined 45 days earlier, AuthPoint will remove the user 15 days after you enable the feature (60 days after the status changed to Quarantined).
Resync Quarantined Users
Quarantined users cannot authenticate until you restore them or move them back to their original location in the LDAP database. If you moved the user account in the LDAP database intentionally, you can create a new query to resync the user to AuthPoint and remove the Quarantined status.
AuthPoint identifies LDAP users by their Globally Unique Identifier (GUID). When you resync users from an external user database, AuthPoint recognizes users that already exist, even if the user name has changed. If you delete a user from the LDAP database and then create a new user account with the same information and resync to AuthPoint, AuthPoint does not associate the new user account with the Quarantined user because they have different GUIDs. To resync the deleted user to AuthPoint and remove the Quarantined status, you must restore the original user account in the LDAP database.
You must have an available user license for each quarantined user account that you want to resync. If you do not have an available user license, you cannot remove the Quarantined status from the user account.
To resync a quarantined user:
- From the AuthPoint menu, select External Identities.
- Next to the external identity that your user syncs from, click and select Group Sync.
- On the Group Sync page, click Add New Group to Sync.
- In the Add Group Sync window, from the Select LDAP Groups drop-down list, select the LDAP group that the quarantined user is a member of.
Do not select the LDAP group that the quarantined user was a member of before they were quarantined.
- From the Select the Group drop-down list, select the AuthPoint group of the quarantined user.
- Click Save.
The Add Group Sync window closes and your group sync is saved. - From the AuthPoint menu, select External Identities.
- Next to the external identity that your user syncs from, click and select Start Synchronization.
AuthPoint syncs with your external user database and identifies the quarantined user from the group sync you created. The status of the user changes from Quarantined to Activated. The user can now successfully authenticate.