search cancel

IT Analytics: "NS.Default Synchronize Security Roles Task.{e2830df2-f93f-450a-b5d5-921e01f02540}" will fail synchronization if there is a user removed from Active Directory.

book

Article ID: 162652

calendar_today

Updated On:

Products

IT Analytics

Issue/Introduction

ITMS 7.6.x.
Users who are members of  exactly the same security roles  may have different permissions accessing the default IT Analytics reports.



Steps to reproduce.
0. Create a new user in Active Directory.
1. Create a new account in Symantec Management Console and link it to the user from (0) via
     Account Management
     Accounts
2. Make the user a member of "IT Analytics Users" role.
3. "Run now" from
     Settings
     Notification Server
    IT Analytics Settings
    Cubes
    Security.
4. Now delete the user from Active Directory.
5. Run the same rule again.
6. Error(s) in the log will appear.

Update 12.04.2016.

Another similar scenario was recently reported to Symantec Support, see error III below. However this time the error does not explicitly mention the affected user's name. 

 

I.
=====

Error Synchronizing Security Roles.
Object reference not set to an instance of an object.
[System.NullReferenceException @ System.Xml]
at System.Xml.XmlNode.RemoveChild(XmlNode oldChild)
at Altiris.ITAnalytics.ASDatabase.RemoveRoleMemberByName(String roleID, String
roleName, StringCollection strRemoveRoles, Guid parentPid)
at Altiris.ITAnalytics.ASDatabase.SynchronizeRole(Guid SyncRoleGuid, Guid 
parentPid)
at Altiris.ITAnalytics.Tasks.ITAnalyticsSyncSecurityRolesTask.ProcessTasks()
=====

II.
=====
Error Synchronizing Security Roles.
Add role member failed. Invalid member domain\user
[System.Exception @ Altiris.ITAnalytics]
at Altiris.ITAnalytics.ASDatabase.AddRoleMemberByName(String roleID, String
roleName, String name, Guid parentPid)
at Altiris.ITAnalytics.ASDatabase.SynchronizeRole(Guid SyncRoleGuid, Guid 
parentPid)
at Altiris.ITAnalytics.Tasks.ITAnalyticsSyncSecurityRolesTask.ProcessTasks()
=====
III.
=====
Error Synchronizing Security Roles.
Object reference not set to an instance of an object.
   [System.NullReferenceException @ Altiris.ITAnalytics]
   at Altiris.ITAnalytics.DisposableASDB.ExecXmla(String xmla)
   at Altiris.ITAnalytics.ASDatabase.ExecXmla(String xmla)
   at Altiris.ITAnalytics.ASDatabase.AddRoleMemberByName(String roleID, 
String 
roleName, String name, Guid parentPid)
   at Altiris.ITAnalytics.ASDatabase.SynchronizeRole(Guid SyncRoleGuid, Guid 
parentPid)
   at 
Altiris.ITAnalytics.Tasks.ITAnalyticsSyncSecurityRolesTask.ProcessTasks()
=====

Cause

It is a known defect that can be caused by:

a. A user that has been removed from Active Directly still exists in Symantec Management Console under Account Management  -> Accounts;

b. An AD user imported to Symantec Management Console does not have associated credentials.

 

Resolution

Symantec has introduced some changes  into IT Analytics 8.0 to improve handling of Active Directory imported users in scope of the synchronization task.

However it is still possible, that you may encounter the same errors or similar.

WORKAROUND.

It is easy to workaround the issue if the affected user's name is explicitly given in the log.  Otherwise the task is a bit more complicated and SQL Profiler can be used to discover the problematic user or role (https://msdn.microsoft.com/en-us/library/ms181091%28v=sql.110%29.aspx). Below is an example of SQL Profiler usage.

The error in the screen shot does not provide the user's name, but using the name of the role from the description, it was possible to analyze it's membership and find the 'corrupt' users.

 

Attachments