Overview
The MCE system supports altering MCE granular user states by providing appropriate PowerShell cmdlets to admins, this page provides information on the users, states and side-effects.
If using the MindLink auto-provisioning service, when a user logs in the system will first check whether the user exists comparing against users in Enabled
, Suspended
and Disabled
states.
If so, login will continue as normal. Otherwise, a new user will be created and then login can be attempted.
User states
MCE users can only be in one of the following state:
Enabled:
MCE user attributes synchronized, MCE user can login.Suspended:
MCE user attributes synchronized, MCE user cannot login.Disabled:
MCE user attributes are not synchronized, MCE user cannot login.Removed:
MCE user attributes are not synchronized, MCE user cannot login.
Suspended
users are similar to Enabled
users, only that they are restricted from logging in. The purpose of which is to allow admins to complete the user setup process, then once satisfied, the user can quickly be enabled through the provided PowerShell cmdlets. User attributes will continue to be synchronized based on the intervals configured on the system, and attributes can be forcefully synchronized using Sync-MceUserAttributes
.
A disabled user has all user attributes removed from the system and will not be able to login, attempting to force attribute synchronization through Sync-MceUserAttributes
will not perform any action.
Once a user has been removed, they are hueristically unreachable within the system and all the user's synchronized attributes will be removed from the system and cannot be resynchronized. There will however, be an auditable trail of events showing the attributes both being added and removed, aside from this the only information remaining in the system will be the display name provided during creation.
Removing a user is a non-reversible operation and once carried out, the users can no longer be edited. By default, they will not be returned in Get-MceUser
queries, except if providing -Status Removed
or -IncludeRemovedUsers
in the cmdlet. Attempting to force synchronize attributes for a removed user with Sync-MceUserAttributes
will result in an error propagated to the PowerShell terminal.
Duplicate users
By default, admins can no longer create MCE users which share a LinkedUserIdentity or ObjectGUID with an existing user within the system. If attempting to create a duplicate user with New-MceUser
command, an error will be propagated to the PowerShell terminal detailing the failure. This behavior can however be overridden by providing an optional -Force
flag, this is not recommended as duplicate conflicting users will result in a failed login.
Altering user state
Admins can transition users between states, unless the user enters a Removed
state.
All user state transitions can be performed using the PowerShell cmdlets, below are those used to manipulate an MCE users' state:
Commands
Set-MceUser
: User state changed by providing-Status [Enabled/Disabled/Suspended/Removed]
Enable-MceUser
: Enables a userDisable-MceUser
: Disables a userSuspend-MceUser
: Suspends a userRemove-MceUser
: Removes a user
For more information on the above cmdlets go to PowerShell commands section.