First step is to make sure users with duplicate email addresses are not included in AD Sync Profile. In broad terms there are two ways to address the situation:
- Make sure there are no duplicate email addresses set on users
- Modify the AD Sync Profile to exclude part of AD users from being synced. For example, the OU containing service accounts.
The remaining concern is how to handle the users thay may have been synced that should not be in the Process Manager database. There are different situations that may arise - users in the now-excluded OU that are already synced, when there are two users with the same email address and the wrong one is synced (for example, service account instead of user's account).
Users in ServiceDesk database cannot be simply deleted as in most cases if portal user is used even a little bit there will be associations with items like processes, tasks, comments etc that would be invalid if portal user is deleted. There are two ways to handle portal users left over from excluding them from AD Sync:
- Disable the excluded portal users. There is an 'Account Is Active' checkbox when editing a portal user and unchecking it will disable the portal user. This is the recommended method. When portal user would be again included in AD Sync this flag will automatically be overwritten and portal user would become active again.
- There is a roundabout way to remove a user from portal. This would be the 'Merge User' action on the portal user. With this functionality existing associations to portal user that exist in processes, tasks etc will be moved to the other portal user and merged portal user is removed from portal. This is not something we would recommend doing lightly as it cannot be undone and this not intended to be used on a large scale. All the actions done by the portal user will be re-mapped to the other portal user. If you merge an AD user that is still in AD Sync, it will be recreated next time AD Sync runs.
To merge users:
- Admin > Users > Accounts > Manage Users
- Find the user you need to remove, click the gear icon to the right and select Merge User
- Enter another user to Merge To in the field provided and click Merge
- After confirming and waiting a little while, portal users are merged and the portal user you started the action on will be removed.
- If an undesired account is imported with AD Sync instead of the user's own account, things are a bit complicated as excluding and disabling the service account portal user will still leave the portal user with the primary email address preventing the other one from being imported. Merging is an option but this is not advised as it has a chance of moving some items over and user's own account does not exist in ServiceDesk portal to merge to.
If there are only few such portal users - same person but normal account and service account - the best way to resolve this problem would be to change the ADLoginName on the portal user from service account to the normal account. When AD Sync is run next, all the details of the normal account will be imported into this portal user, effectively re-purposing the portal user.
This can only be done directly in a database and as always with changing data directly in the database, make sure you have a backup of the database before doing the changes. If you have a test environment, please try it there first. The query would look similar to this: