Remove AD groups from the AD server once the user account is disabled.

NaveenK08632274
Tera Contributor

I am currently working on a use case where I am using Flow Designer to disable a user account in the AD server as part of the termination process.

If the user is associated with AD groups, we also need to remove those group memberships once the user is disabled in the AD server.

We have already configured the AD Spoke in our environment. Please suggest the best approach for implementing this solution.

1 REPLY 1

Yogesh11bhatt
Kilo Guru

Hi @NaveenK08632274 ,

 

Since you are already using the Active Directory Spoke in Flow Designer, you are well-positioned to automate this process. The key requirement is to retrieve the user's AD group memberships and then remove those memberships as part of the termination workflow.

Recommended Flow Design

Get User Details

  • Use the AD Spoke action to retrieve the user record and group membership information (memberOf or equivalent attribute).

  • If your AD Spoke version provides a dedicated Get User Groups or Get Group Memberships action, consider using that instead of parsing memberOf directly.

Validate Group Memberships

  • Add an If condition to check whether the user belongs to any groups.

  • If no groups are returned, proceed directly to account disablement.

For Each Group

  • Use a For Each action to iterate through the returned group collection.

  • Inside the loop, use the AD Spoke action to Remove User from Group.

Disable the User Account

  • After the group removals are complete, disable the AD account using the appropriate AD Spoke action.

Error Handling & Audit Considerations

For termination processes, I strongly recommend adding error handling:

Failure Handling

  • If a group removal fails, log the failure.

  • You may want to create a task or incident for manual remediation.

  • Decide whether the flow should stop immediately or continue processing the remaining groups.

Audit Trail

  • Before removing memberships, consider storing the list of groups in a Work Note, an audit field, or a termination task record.

  • This provides a valuable audit trail if security access reviews are performed later.

Service Account Permissions

Verify that the account used by the AD Spoke has permissions to:

  • Read user memberships.

  • Remove users from groups.

  • Disable user accounts.

Note on Sequence

Depending on your organization's security policy, you may choose to:

Remove Groups → Disable Account

or

Disable Account → Remove Groups

Both approaches are common; the most important factor is ensuring the workflow handles failures gracefully and leaves the user record in a documented, known state.

Hope this helps!

Please mark this answer as Helpful if it resolves your question. 🙂

 

Thanks,
Yogesh Bhatt