Securely Deprovision Active Directory Users or Groups

Cayosoft Suspend™ for Active Directory

Temporary or Permanent User or Group Suspension

As employees leave the organization, it is important to revoke access in a timely manner. Cayosoft® Suspend™ quickly and accurately secures Active Directory Users or Groups by performing the best-practice steps required to safely deactivate the objects and prevent costly security and compliance violations.   Whether users leave temporarily — perhaps military or medical leave — Cayosoft Suspend can schedule suspensions so they are not forgotten, and there is no need to keep a separate calendar of  departures. Suspend also prevents groups from being used for security operations, allowing the group to be safely deactivated. If the group is needed, a simple right-click undo will restore the group to the previous active state.

Cayosoft® Suspend™ deploys in less than 10 minutes, is easy-to-use and requires no heavy service or infrastructure. Suspend allows you to temporarily or permanently suspend AD Users and Groups without physical deletion so you can bring them back with the click if they are again needed. Suspend is also part of Cayosoft Administrator,  and allows you to pre-schedule a suspension on a pre-determined date.

Cayosoft Suspend is a part of the Free Active Directory Management Tools from Cayosoft.


Easily configure policies to enforce consistent and effective control that meet your IT or compliance requirements for revoking user access. With Cayosoft Suspend, your administrators will no longer struggle to perform dozens of potentially error-prone steps, and you won’t have to maintain risky or awkward scripts. Cayosoft Suspend complements Microsoft Identity Manager or Oracle Identity Manager by helping resolve conflicts though integration of native AD management tools and these powerful solutions.

Compliance and Security

Whether a user leaves temporarily or permanently, security and compliance requirements demand that the user’s Active Directory account be terminated quickly and accurately. Unfortunately, Active Directory provides only Delete or Disable as options. To properly suspend and secure Active Directory users or groups, a complex and potentially error-prone process must be followed. Native tools lack a “suspend” process, putting security and compliance at risk. Improperly suspending a user or group can cause the organization to be subject to security breaches, SOX, HIPAA or PCI audit failures and potential fines.

Disable & Delete are Not Enough

Deleting users and groups is unacceptable because they are unavailable when needed for audit or security reasons. Disabling a user account is risky if additional steps are not taken to ensure the account won’t be re-enabled with unintended consequences. Disabling a group isn’t provided by Active Directory.

Better than Delete or Disable options, Cayosoft puts a “Suspend” command at your fingertips that invokes Policy Workflow steps to prevent user accounts from authenticating and groups from being used for security or distribution list operations. With right-click undo, reactivating the user or group is just a click away.

When Should you Suspend Users or Groups?​
  • Military Deployments
  • Personal Leaves
  • Demonstrate Controls to Auditors
  • During Investigations
  • Terminations (Deprovision)
  • Retirements (Deprovision)
  • Voluntary Employee Separations
  • End of contractor projects

Features and Policies

Best Practice Enforcement for Suspension of AD Users
  • Permanent or Temporary Account Suspension
  • Right-click  Undo
  • Active Directory Users and Computers Integration
  • Auditor Suspension Reporting for security or compliance audits
  • Policy Workflow:
  • Update Attribute(s)
  • Relocate Object
  • Clear User’s Group Memberships
  • Store Audit Details
  • Prevent Logon
  • Retention Period (Requires Cayosoft Administrator™)
  • Scheduled Reactivation (Requires Cayosoft Administrator™)
Best Practice Enforcement for Suspension of AD Groups

For security and compliance reasons, an “Auditors Only Group” that may allow the clearing of security logs, should not contain members that are actually being audited. If a user that is being audited is accidentally added to the “Auditors Only Group”, Cayosoft Administrator’s Dynamic Group Rules will automatically remove the user from the group, sustaining the security or compliance requirement.

  • Permanent or Temporary Group Suspension
  • Right-click Undo
  • Active Directory Users and Computers Integration
  • Auditor Suspension Reporting for security or compliance audits
  • Policy Workflow:
  • Prevent use for Security and Distribution List operations
  • Update Attribute(s)
  • Relocate Object
  • Clear Group Members
  • Clear this Group’s Memberships in other groups
  • Store Audit Details
  • Retention Period (Requires Cayosoft Administrator™)
  • Scheduled Reactivation (Requires Cayosoft Administrator™)
Auditor-Friendly Reports

Any time a user or group is suspended the actions taken against the object must be recorded and available for review by auditors. Cayosoft Suspend provides auditor-friendly reports that are just click away. Both Suspend and Un-Suspend reports storage options are also provided.

Cayosoft Admin Assistant™ Integration

Thoughtful product Integration provides a service component that monitors AD for Suspended Accounts and enforces the object retention policy.

  • Enforce Object Retention Policy
  • Suspend Expired & Inactive Accounts
  • Suspend Empty Groups
  • Future Scheduled Suspensions
  • Future Scheduled Undo-Suspensions

Please complete and submit the demonstration request form and we will contact you shortly. If you would prefer to speak with a Cayosoft Sales Representative then please call us at +1 (614) 423-6718.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.