Questions Regarding the "Deactivate Users Who Have Not Logged In Recently" Option on the Admin Console

FYI - found a partial explanation for the third question - forum.appian.com/.../User_Management.html

"When a user account is reactivated, its last login time is set to the current date and time to prevent the user from being immediately deactivated (if a policy is in place to do so for users who do not log into the system within a certain amount of time). "

However, this goes on to say that a user can only be reactivated by an admin from the people tab. What about the smart service "Reactivate User"?

I would assume that the "reactivate user" smart service must be run under the authority of an administrator, and that it would reset their countdown date (since if the user had previously expired due to inactivity, it would have to set SOMETHING to keep the same account from immediately expiring again, no?) - but I'm curious to see the official response to this if there is one.

I tried to test this feature out, so I set up a test environment, set the deactivation time to 1 day, and the next day there were no users deactivated. When does the deactivation trigger?

It really is imperative I know what time Appian deactivates users. There is a race condition with the Active Directory sync plugin in LDAP Tools - it will reactivate users! I need to ensure that users are captured as inactivated before that sync runs at night - and then ensure they don't get reactivated.

Did you ever discover exactly what the nature of auto-deactivation is? I'm mostly curious to know whether we can force a particular user to never be deactivated via deactivating it and quickly reactivating it in a system process or something.

I didn't find out any specific details. I just run a process that checks nightly if any users are missing from our All Users group in Appian that are active in our business database (meaning Appian did the deactivation), and use that to mark them as inactive in the database as well, and set a new flag which indicates it was inactivated due to inactivity. I have a separate action for admins to reactivate any users who were inactivated due to inactivity, and have modified the LDAP sync to never reactivate users. I also updated an action that runs the LDAP sync on specified users to give the option to reactivate while synching - but it will ignore any users with the inactivated due to inactivity flag (which need to be reactivated by the other action first).

It unfortunately had to be a bit convoluted, but it works. Except for one instance where Appian didn't return all the expected group members of that group when the process ran during an import.

Cool - that's about what we have, though we've never bothered create a special front-end process to reactivate users who got auto-disabled (i suppose it wouldn't be too hard though). The reason I ask though is because of a special pain point - we have a special non-user user account to be the "general global admin", with publishing authority over all process models, etc. A user at the customer organization is supposed to routinely log in as that user, to prevent expiration, but we realized early monday morning that they'd accidentally elapsed that timespan, and it instantaneously broke hundreds of instances that we had to go around and manually restart. So now I'm fishing for better ways to protect that user against auto-expiration.

Just wondering, why not use the Administrator for that? This special account is never deactivated.

AFAIK we don't have access to it due to some cloud environment and/or security constraint in the case of the servers in question.