Quarantined Users

If you move or delete a user account in your LDAP database, the status of the linked AuthPoint user account changes to Quarantined. In the users list, Quarantined user accounts display a yellow icon next to the user name.

Quarantined users cannot authenticate until they are restored or moved back to their original location in the LDAP database. If the user account was moved intentionally, you can create a new query to sync the user to AuthPoint and remove the Quarantined status. For more information, see Resync Quarantined Users.

If the user account was deleted intentionally, you must manually delete the user in AuthPoint or enable the Quarantined Users Cleanup feature to automatically delete quarantined users. For more information, see Remove User Accounts and Remove Quarantined Users.

Remove Quarantined Users

You can enable the Quarantined Users Cleanup setting to automatically remove LDAP synced users that become quarantined. You can either remove quarantined users immediately or after they have the Quarantined status for a specified amount of time.

To delete an LDAP user in AuthPoint, the best practice is to remove the user from their AD or LDAP group to give them the Quarantined status in AuthPoint, then delete the user in AuthPoint.

To configure AuthPoint to automatically remove quarantined users:

  1. From the AuthPoint menu, select Settings.
  2. Enable Automatically remove quarantined users.
    Additional settings appear.
  3. From the Remove quarantined users after drop-down list, select how long users have the Quarantined status before they are automatically removed. To remove quarantined users as soon as their status changes to Quarantined, enable Remove quarantined users immediately.

Screenshot that shows the Quarantined Users Cleanup section on the Settings page.

For LDAP user accounts that are already quarantined when you enable this feature, AuthPoint accounts for the time since user status changed to Quarantined.

For example, you configure AuthPoint to automatically remove quarantined users after 60 days. If a user status changed to Quarantined 45 earlier, it will be removed 15 days after you enable the feature (60 days after the status changed to Quarantined).

Resync Quarantined Users

Quarantined users cannot authenticate until you restore them or moved them back to their original location in the LDAP database. If you moved the user account in the LDAP database intentionally, you can create a new query to resync the user to AuthPoint and remove the Quarantined status.

To resync a quarantined user:

  1. From the AuthPoint menu, select External Identities.
  2. Next to the external identity that your user syncs from, click and select Group Sync.
  3. On the Group Sync page, click Add New Group to Sync.

  1. In the Add Group Sync window, from the Select LDAP Groups drop-down list, select the LDAP group that the quarantined user is a member of.

    Do not select the LDAP group that the quarantined user was a member of before they were quarantined.

  1. From the Select the Group drop-down list, select the AuthPoint group of the quarantined user.

  1. Click Save.
    The Add Group Sync window closes and your group sync is saved.

  1. From the AuthPoint menu, select External Identities.
  2. Next to the external identity that your user syncs from, click and select Start Synchronization.

AuthPoint syncs with your external user database and identifies the quarantined user from the group sync you created. The status of the user changes from Quarantined to Activated. The user can now successfully authenticate.

AuthPoint recognizes users by their UUID. When you sync users from an external user database, AuthPoint recognizes users that already exist, even if the user name has changed.

See Also

About Gateways

User Management