Restrict users

The Restrict Users option under License Management lets administrators free up licenses by restricting user accounts that do not require self-service access. Restricting an account revokes and frees the ADSelfService Plus license the account consumed, deletes the account's enrollment data, and blocks the account from logging in to the self-service portal. The product manages restrictions for both Active Directory and Microsoft Entra ID directories from the same page, and you can restrict or reinstate accounts manually or on a schedule.

The account categories you can restrict depend on the directory. For Active Directory (AD), you can scope restrictions to organizational units (OUs). For Microsoft Entra ID, you can scope restrictions to domains. The following table lists each account category and shows whether you can restrict it in Active Directory and Microsoft Entra ID.

Account category What it covers Active Directory Microsoft Entra ID
Disabled accountsAccounts that an administrator has disabled, such as when an employee leaves the organization.YesYes
Expired accountsAccounts created for a limited period, such as a temporary employee, that have now expired.YesNo
Inactive accountsAccounts with no activity for a set number of days.YesNo
Deleted accountsAccounts deleted from the directory. For Microsoft Entra ID, deleted-user reports cover a maximum of 30 days.YesYes
Smart card usersAccounts that authenticate with a smart card.YesNo
Service accountsAccounts that grant services the permissions they need to run. Resetting a service account password stops the service, so restricting these accounts prevents accidental disruption.YesNo
Unowned licensesAccounts that were permanently (hard) deleted in the directory but are not synced to the product flagged, leaving their licenses flagged as unowned licenses.YesYes
All usersEvery account in the selected scope.YesYes

Prerequisites

To configure the Restrict Users feature in ADSelfService Plus, you need the following:

Permissions: Administrator access to ADSelfService Plus.

Email notification (optional): To email the restricted accounts' list from a scheduler, configure a mail server in Mail / SMS Settings. For more details, see configuring mail server settings.

Limitations

The Restrict Users feature in ADSelfService Plus has the following limitations.

Note: Restricting an account deletes its enrollment data automatically. After an account is reinstated, the user must enroll again before using self-service features.
For Microsoft Entra ID deleted users, ADSelfService Plus can generate reports for a maximum of 30 days.

Configuration instructions

In ADSelfService Plus, you restrict and reinstate accounts manually from the Restricted Users page or automatically with schedulers.

Restrict accounts manually

To restrict accounts in either directory:

  1. Navigate to Admin > License Management > Restrict Users.
  2. Click + Restrict Users.
  3. From Select Directory, choose the directory: a domain under Active Directory or a tenant under Microsoft Entra ID.
  4. Set the scope (optional):
    • For Active Directory: The scope shows All OU. Click Add, select the OUs in the Select Filters dialog. You can switch between Tree view and List view, and optionally select Don't inherit child OU(s). Click OK.
    • For Microsoft Entra ID: The scope shows All Domains. Click Add, select the domains in the Select Filters dialog, then click OK.
  5. From Account Type, select the category to restrict:
    • For Active Directory: Account Expired, Account Disabled, Inactive, Deleted Accounts, Smart Card Users, Service Accounts, UnOwned Licenses, or All Users.
    • For Microsoft Entra ID: Account Disabled, Deleted Users, UnOwned Licenses, or All Users.
  6. Click Generate. ADSelfService Plus lists the matching accounts with their Display Name, User Principal Name, and Created Time. To stop a generation in progress, click Stop.
  7. Select the accounts to restrict. To select every account in the list, select the checkbox in the column header.
  8. Click Restrict Access.
  9. In the Confirm Action dialog, click Yes.

ADSelfService Plus deletes the selected accounts' enrollment data, frees their Endpoint MFA licenses, and blocks them from logging in to the self-service portal.

Restricting user accounts in ADSelfService Plus

Fig.1: Restricting user accounts in ADSelfService Plus.

Reinstate accounts manually

Reinstating an account restores its self-service access. To reinstate accounts manually:

  1. Go to Admin > License Management > Restrict Users. The Restricted Users page lists the accounts that are currently restricted.
  2. From Select Organization, choose the directory whose restricted accounts you want to reinstate.
  3. Select the accounts to reinstate.
  4. Click Derestrict Users.

Because restriction deleted the accounts' enrollment data, reinstated users must enroll again before they can use self-service features.

Schedule automatic restriction

Use a scheduler to restrict matching accounts on a recurring basis. To create a restriction scheduler:

  1. Go to Admin > License Management > Restrict Users.
  2. Click Schedule to Restrict/Derestrict in the top-right corner.
  3. On the Restrict Users tab, click + Add New Scheduler. The Scheduler to Restrict Users page opens.
  4. Enter a name in the Scheduler Name field. To add a description, click Add Description.
  5. For Select Directory Type, select Active Directory or Microsoft Entra ID.
  6. Set the scope:
    • For Active Directory: Under Select Domain, select the domain. To limit the scope to specific OUs, click Add and select them in the Select Filters dialog.
    • For Microsoft Entra ID: Under Select Tenant, select the domain.
  7. Under Select Account Type, select the categories to restrict:
  8. For Active Directory: Account Disabled, Account Expired, Smart Card Users, Service Accounts, Inactive user for ... days, or Deleted user for ... days. For the inactive and deleted options, enter the number of days in the field (the default is 7). For service accounts, choose the object type with the Computers link.
  9. For Microsoft Entra ID: Account Disabled or Deleted user for ... days. Enter the number of days in the field (the default is 7).
  10. Under Select Duration, set the frequency (for example, Daily) and the run time using the hrs and mins lists.
  11. To email the restricted accounts' list, select Specify the e-mail address under Mail admin the restricted users' list and enter an address. A mail server is required; if prompted, click Yes to open Mail Settings. For more details, see configuring mail server settings.
  12. Click Create.

Schedule automatic reinstatement

Use a scheduler to reinstate accounts automatically when they meet the conditions you set. To create a reinstatement scheduler:

  1. Go to Admin > License Management > Restrict Users.
  2. Click Schedule to Restrict/Derestrict in the top-right corner.
  3. Click the Derestrict Users tab.
  4. From Select Directory, choose the directory: a domain under Active Directory or a tenant under Microsoft Entra ID.
  5. Select Enable scheduler to unrestrict users.
  6. Select the conditions under which accounts are reinstated:
    • For Active Directory: When account is enabled, When smart card access is disabled, When account expiration is changed, or When the user has logged on in the last ... days.
    • For Microsoft Entra ID: When account is enabled.
  7. Click Save.

The Active Directory reinstatement scheduler runs during the AD Synchronizer scheduler; the Microsoft Entra ID reinstatement scheduler runs during the Entra ID Synchronizer scheduler. To change how often it runs, use the Click here link in the on-screen note.

Tips

  • Pair a restriction scheduler with a reinstatement scheduler so accounts regain access automatically when they become active again, for example when a disabled account is re-enabled. This reduces manual cleanup after temporary restrictions.
  • Because restricting an account deletes its enrollment data, confirm that an account no longer needs self-service access before you restrict it, and plan for re-enrollment if you later reinstate it.