2.7.2.8 Delete an Account - Client Application

In this use case, an administrator wants to delete an account from the directory to prevent its further use. The administrator launches a client application to delete an account. The client application establishes a connection to the Active Directory system.

Goal

Delete an account in the directory.

Context of Use

An administrator wants to delete an account from the directory to prevent its further use.

Use case diagram for deleting an account

Figure 21: Use case diagram for deleting an account

Actors

  • Client application

    The client application is the primary actor. It is the entity that prepares the connection to the directory server, submits the request to delete an account, and relays the response to the administrator.

  • Windows Authentication Services

    Windows Authentication Services [MS-AUTHSOD] is the supporting actor that authenticates the administrator's identity so that the Active Directory system can make access-control decisions.

  • Directory server

    The directory server is the supporting actor that receives the deletion request and deletes the account from the directory.

Stakeholders

  • Administrator

    The administrator initiates operations such as create, reset, change, query for group members, create a security group, modify the group member list, and delete on an account. The administrator primarily wants to receive information that the operations are successfully completed or receive an error message if they failed.

  • Directory

    The directory is the entity that contains the account being deleted.

Preconditions

  • The system-wide preconditions, as described in section 2.6, are satisfied. The Active Directory system completes initialization, as described in section 2.6.

  • The client application has connectivity to a directory server to which it can establish a connection, if it is not already connected, and send the request.

  • The account that is being deleted exists.

Main Success Scenario

  1. Trigger: The administrator provides the account name of the account to be deleted as input to the client application with credentials and invokes the operation that deletes an account.

  2. The client application establishes a connection to the directory server. Windows Authentication Services authenticates the client application using the supplied credentials ([MS-AUTHSOD] section 2).

  3. The client application sends a request to the directory server to delete the account.

  4. The directory server verifies that the credentials that are supplied through the client application have the necessary access-control rights to complete the operation ([MS-ADTS] section 5.1.3).

  5. The directory server deletes the object in the directory that represents the account with the account name that the client supplies. Additional processing tasks that are mandated by the server's processing rules and constraints might occur ([MS-ADTS] sections 3.1.1.5.1 and 3.1.1.5.3).

  6. The directory server sends a response to the client application indicating that the account has been successfully deleted.

Postcondition

The account is no longer available.

Extensions

  • If the credentials that are supplied through the client application have insufficient access-control rights to delete the account:

    1-4. Same as Main Success Scenario.

    5. The directory server sends a response to the client application that the supplied credentials have insufficient access-control rights to delete the account.