Targeting OU to suspend accounts

[IVAN ROMERO]

Hello, I am a new Foresight user and came here because of the suspend inactive users feature. I figured out how to implement it but is there a way to target specific OU's instead of the whole domain? 

[Jason Huang]

Hello,

Yes, there is. The workflow looks like this User turned inactive => Get user info => If (Specific OU) => Suspend user. 

The User turned inactive trigger will output the inactive user's primary email as a variable (you can think it as metadata), then use the Get user info action to retrieve the full profile of the user, including the OU the user is in. The profile variables will pass down the flow.

In the If action, rename the Branch 1 to specific OU or something and set condition as Organization Unit Path text is exactly /OU/SubOU/SubSubOU. Replace the /OU/SubOU/SubSubOU with your organizational setting. Please note it's case-sensitive. Then add Suspend user action after this branch. Ignore the Fallback branch. That means, if the inactive user is not in the given OU, do nothing. 

You can change the condition to Organization Unit Path text starts with /OU/SubOU to also include all SubSubOUs. 

Thanks.

[IVAN ROMERO]

Thank you very much! It worked like a charm. 

[Robert Gellatly]

Hi,

I found the information on supspending an account given an exact period of inactivity.  Is there a way to configure this to suspend any account that have been inactive for 365 days or more, rather than exactly 365 days?

Please advise,

Bob Gellatly

[Joe Scanlon]

I seem to be having an issue with a similair config. I'm trying to Suspend inactive accounts in a certain OU and then move those user into a sperarte OU once they have been suspened. Once I click save it doesn't even try to run. When I remove the move to differnet OU action it still doesn't run. What am I doing wrong? 

[Jason Huang]

Your rule setup is correct. However, the User turned inactive trigger may not work in the way that you expected to. We define a user turning into "inactive" as the last login time is EXACTLY 60 days ago. In other words, if a user's last login time is 65 days ago, the user won't trigger the rule. 

If a user's last login is 55 days ago, the user won't trigger the rule either, but if you wait for 5 days, the user triggers the rule. 

If you'd like users whose login times are older than 60 days to trigger as well, then select the Also include existing inactive users checkbox in the User turned inactive trigger.

I hope it works.

Thanks.

[Joe Scanlon]

Thanks for the response! I think I understand now what the actions are doing. How often does the action run? Will I see it in the logs when it actually looks for 60 day old logins? Thanks for the help!

Joe 

[Jason Huang]

When the rule will trigger depends on your Google Workspace domain's users' login times and your User turned inactive trigger's configuration. There are no logs for the User turned inactive trigger.

Only when a user turned into inactive that triggers the rule, the automation log will be available in the Logs page. 

I hope it helps.

Thank you. 

[Joe Scanlon]

Thanks! I'll mess around with it some more to make sure it's working properly before committing to a paid license. Thanks again the help.