End user enrollment to the Windows environment

To end the enrollment of a user to Windows environment domains and servers, follow these steps on the integrated Windows server console:

1. Expand Integrated Server Administration —> Servers or Domains.
2. Expand the domain or server that contains the user that you want to unenroll.
3. Select Enrolled Users.
4. Right-click the user that you want to unenroll.
5. Select Unenroll.
6. Click Unenroll on the confirmation window.

Effects of ending user enrollment to the Windows environment

When you end user enrollment from the Windows environment, you also remove the user from the list of enrolled Windows server users, as well as from the Windows server group AS400_Users (or OS400_Users). Unless the user is a member of the Windows server group AS400_Permanent_Users (or OS400_Permanent_Users), you also delete the user from the Windows environment.

You cannot delete users who are members of the Windows server group AS400_Permanent_Users (or OS400_Permanent_Users) from Windows server by either ending enrollment or deleting them from i5/OS™. However, ending enrollment does remove the user from the list of enrolled Windows server users and from the Windows server group AS400_Users (OS400_Users).

You can keep users on the Windows environment after you have ended their enrollment on i5/OS. This practice is not recommended, since it makes it possible to add these users to groups on i5/OS and change passwords on i5/OS without these updates ever appearing in the Windows environment. These discrepancies can make it difficult to keep track of users on either system.

You can end user enrollment in a number of ways. Actions that end user enrollment include the following:

• Intentionally ending enrollment for the user.
• Deleting the i5/OS user profile.
• Ending enrollment for all i5/OS groups to which the user belongs.
• Removing the user from an enrolled i5/OS group when the user does not belong to any other enrolled groups.