Skip to main content

Overview

The MCE system supports altering MCE granular user states by providing appropriate PowerShell cmdlets to admins, this page provides information on the users, states and side-effects.

info

If using the MindLink auto-provisioning service, when a user logs in the system will first check whether the user exists comparing against users in Enabled, Suspended and Disabled states. If so, login will continue as normal. Otherwise, a new user will be created and then login can be attempted.

User states

MCE users can only be in one of the following state:

  • Enabled: MCE user attributes synchronized, MCE user can login.
  • Suspended: MCE user attributes synchronized, MCE user cannot login.
  • Disabled: MCE user attributes are not synchronized, MCE user cannot login.
  • Removed: MCE user attributes are not synchronized, MCE user cannot login.

Suspended users are similar to Enabled users, only that they are restricted from logging in. The purpose of which is to allow admins to complete the user setup process, then once satisfied, the user can quickly be enabled through the provided PowerShell cmdlets. User attributes will continue to be synchronized based on the intervals configured on the system, and attributes can be forcefully synchronized using Sync-MceUserAttributes.

A disabled user has all user attributes removed from the system and will not be able to login, attempting to force attribute synchronization through Sync-MceUserAttributes will not perform any action.

Once a user has been removed, they are hueristically unreachable within the system and all the user's synchronized attributes will be removed from the system and cannot be resynchronized. There will however, be an auditable trail of events showing the attributes both being added and removed, aside from this the only information remaining in the system will be the display name provided during creation.

Removing a user is a non-reversible operation and once carried out, the users can no longer be edited. By default, they will not be returned in Get-MceUser queries, except if providing -Status Removed or -IncludeRemovedUsers in the cmdlet. Attempting to force synchronize attributes for a removed user with Sync-MceUserAttributes will result in an error propagated to the PowerShell terminal.

Duplicate users

By default, admins can no longer create MCE users which share a LinkedUserIdentity or ObjectGUID with an existing user within the system. If attempting to create a duplicate user with New-MceUser command, an error will be propagated to the PowerShell terminal detailing the failure. This behavior can however be overridden by providing an optional -Force flag, this is not recommended as duplicate conflicting users will result in a failed login.

Altering user state

Admins can transition users between states, unless the user enters a Removed state.

All user state transitions can be performed using the PowerShell cmdlets, below are those used to manipulate an MCE users' state:

Commands

  • Set-MceUser: User state changed by providing -Status [Enabled/Disabled/Suspended/Removed]
  • Enable-MceUser: Enables a user
  • Disable-MceUser: Disables a user
  • Suspend-MceUser: Suspends a user
  • Remove-MceUser: Removes a user

For more information on the above cmdlets go to PowerShell commands section.