Securely Deprovision Active Directory Users or Groups

Cayosoft Suspend™ for Active Directory

Temporary or Permanent User or Group Suspension

Cayosoft® Suspend  quickly and accurately secures Active Directory Users or Groups by performing the best-practice steps required to safely deactivate the objects thereby preventing costly security and compliance violations.  As employees leave the organizations it is important to revoke access in a timely manner. Some leave temporarily for reasons such as military or medical leave and some leave permanently due to retirement or termination. Cayosoft Suspend will also schedule suspensions so they are not forgotten and there is no need to keep a separate calendar of  departures. Suspend also works with Groups preventing the group from being used for security operations allowing the group to be safely deactivated. If the group is needed, a simple right-click undo will restore the group to the previous active state.

The Cayosoft® Suspend™ solution deploys in less than 10 minutes, is easy to use and requires no heavy service or infrastructure. Suspend allows you to temporarily or permanently suspend AD Users and Groups without physical deletion so you can bring them back with the click of a mouse if they are again needed. Suspend works with Cayosoft Admin Assistant to allow you to pre-schedule a suspension on a pre-determined date.

Cayosoft Suspend is a part of the Free Active Directory Management Tools from Cayosoft.


Securely Deprovision Active Directory Users or Groups (Temporary or Permanent)

Technical OverviewFeatures & PoliciesRequirementsPricingProduct Reviews


3 Minute Demo

Key Features

Cayo Admin Assistant Automate Active Directory and Enforce IT Rules
  • Temporary Suspend for Long term Absences
  • Right-click or Scheduled Un-Suspend
  • Permanent Suspend for Termination or Retirements
  • Set and Forget Future Suspensions
  • Enhance Directory Sync
  • Clean-up expired/inactive Accounts
  • Meet audit requirements

Introducing Cayosoft Suspend

In minutes, the easily configure policies begin to enforce consistent and effective control that meet your IT or Compliance requirements for revoking access. With Cayo | Suspend your administrators will no longer struggle to perform dozens of potentially error prone steps and you won’t have to maintain risky or awkward scripts. Cayo Suspend complements Microsoft Forefront or Oracle Identity manager by helping resolve conflicts though integration of native AD management tools and these powerful solutions.

Compliance and Security

It is natural for people to join and leave an organization. Sometimes people leave an organization temporarily for medical reasons or for military deployments. Permanent departures are typically due to retirements or terminations. In both cases, security and compliance requirements demand that the user’s Active Directory account must be terminated quickly and accurately. Unfortunately, Active Directory provides only Delete or Disable as options. To properly suspend and secure Active Directory users or groups, a complex and potentially error prone process must be followed. Because native tools lack a “suspend” process, security and compliance requirements are put at risk. Improperly suspending a user or group can cause the organization to be subject to security breaches, SOX, HIPAA or PCI audit failures and potential fines.

Disable & Delete are Not Enough

Deleting users and groups is unacceptable because they are unavailable when needed for audit or security reasons. Disabling a user account is risky if additional steps are not taken to ensure the account won’t be re-enabled with unintended consequences. Disabling a group isn’t provided by Active Directory.

Better than Delete & Disable: Cayo | Suspend delivers something better than Delete or Disable; it puts a “Suspend” command at your fingertips. Suspend invokes Policy Workflow steps that prevent user accounts from authenticating and group from being used for security or distribution list operations. With right-click undo, reactivating the user or group is just a mouse click away.

When should you suspend users or groups?

  • Military Deployments
  • Personal Leaves
  • Demonstrate Controls to Auditors
  • During Investigations
  • Terminations (Deprovision)
  • Retirements (Deprovision)
  • Voluntary Employee Separations
  • End of contractor projects

Suspend Workflow

Deprovsion Active Directory Users and Groups

Best Practice Enforcement for Suspension of AD Users

  • Permanent or Temporary Account Suspension
  • Right-click  Undo
  • Active Directory Users and Computers Integration
  • Auditor Suspension Reporting for security or compliance audits
  • Policy Workflow:
    • Prevent Logon
    • Update Attribute(s)
    • Relocate Object
    • Clear User’s Group Memberships
    • Store Audit Details
    • Retention Period (Requires Cayo | Policy Manager™)
    • Scheduled Reactivation (Requires Cayo | Policy Manager™)

Best Practice Enforcement for Suspension of AD Groups

  • Permanent or Temporary Group Suspension
  • Right-click Undo
  • Active Directory Users and Computers Integration
  • Auditor Suspension Reporting for security or compliance audits
  • Policy Workflow:
    • Prevent use for Security and Distribution List operations
    • Update Attribute(s)
    • Relocate Object
    • Clear Group Members
    • Clear this Group’s Memberships in other groups
    • Store Audit Details
    • Retention Period (Requires Cayo | Policy Manager™)
    • Scheduled Reactivation (Requires Cayo | Policy Manager™)

Auditor Friendly Reports

Any time a user or group is suspended the actions taken against the object must be recorded and available for review by auditors. Cayo | Suspend provides auditor friendly reports that are just a mouse click away. Both Suspend and Un-Suspend reports storage options are also provided.

Cayosoft Admin Assistant™ Integration

Thoughtful product Integration provides a service component that monitors AD for Suspended Accounts and enforces the object retention policy.

  • Enforce Object Retention Policy
  • Suspend Expired & Inactive Accounts
  • Suspend Empty Groups
  • Future Scheduled Suspensions
  • Future Scheduled Undo-Suspensions

Software Requirements

  • Microsoft .Net Framework version 4.0
  • Active Directory Users and Computers MMC
  • Windows Workstation version XPSP3 or later – or – Windows Server Version 2008r2 or later
  • No schema extensions required

Permission Requirements

  • Administrator permission in Active Directory to register display specifiers (First console installed only)

Administrator permissions on the workstation or server running Active Directory Users and Computers

  • Permissions in Active Directory to modify & disable Users and Groups

Pricing and Licensing

Policy Suspend™ is sold as part of Cayo Administrator™ or it can be purchased individually.  The software is licensed per enabled Active Directory user in each domain to be managed. The pricing shown here is for a Perpetual Licenses that never expire. For individual module or subscription based pricing, request a custom price quote here.

Cayo Administrator includes the following modules:

  • Policy Manager™
  • Cayo Suspend™
  • Cayo Groups™ (Anticipated late 2013)

Minimum quantity: 100 users

Price: Starting at $7 per enabled user before discounts for a Perpetual License that never expires.

Support & Maintenance: Initial license purchases are accompanied by a 1 year software maintenance agreement that begins on the purchase date and continues for 12 months. Subsequent yearly software maintenance is optional and amounts to 20% of the license purchase price.

Next Steps:

Get a Demo

Live or Recorded

Ask a Question

Get Answers!

Learn More...

More Information!