Changing LoginID on Active Directory for a user creates a duplicate resource on the Altiris database after user AD Import runs
search cancel

Changing LoginID on Active Directory for a user creates a duplicate resource on the Altiris database after user AD Import runs

book

Article ID: 176804

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

In this case, the only change made is to the LoginID information for Users on the Active Directory. After changing LoginID in AD (from ngarrido to garridon), customer runs the Users AD Import Rule to import, and a duplicate is created for the same User Resource. No other changes are made (same distinguished name, email, etc.).

When Users AD Import Rule is done running, a new user resource is created that appears to be a duplicate. Opening both User Resources and looking at the XML for them, we can see a difference on name.domain:

Duplicate Resource 1:
<key name="name.domain" value="NGARRIDO.NEFIUNIVERSE.LOCAL" />
  <key name="distinguishedname" value="CN=NEFI GARRIDO,CN=USERS,DC=NEFIUNIVERSE,DC=LOCAL" /> 
   
Duplicate Resource 2:
<key name="name.domain" value="GARRIDON.NEFIUNIVERSE.LOCAL" />
  <key name="distinguishedname" value="CN=NEFI GARRIDO,CN=USERS,DC=NEFIUNIVERSE,DC=LOCAL" />

AD Sync schedule doesn't remove the duplicate User from the NS database since for Active Directory it still exists as the same User.

Steps to reproduce:

  1. Go to the AD User object and change the "User logon name" and "User logon name (pre-windows 2000)" under the Account tab for one of the users.



  2. Do a Full Import or just an Update Import; you should get a duplicate entry for that user.



  3. If you review the Resource Manager for one of those duplicate users, the only apparent change is the UserID value under the Inventory tab > User Data > Global Windows Users in the Resource Manager. So, looks like the name.domain has changed but not the distinguishedname. One thing that was also noticed was that under the Inventory tab > Directory Connector > OU Membership in the Resource Manager, the first entry for the User (before the change in the UserID) is now empty.



  4. If you run the AD Synch schedule, none of the duplicates are removed.
  5. We tested it against a server with the AD Import Hotfix 3 but the issue persisted.

Cause

Apparently AD Connector is not able to distinguish a resource as the same if name.domain and distinguished name are not the same, even though everything remained unchanged.

Resolution

AD Connector Development Team is aware of the issue and they are investigating a possible resolution on this. However, this issue was tested against NS7 and it is not present there.

There is a workaround that will help to keep those duplicated resources as one. However, you will need to have installed Asset/CMDB 6.5.

  1. Go to Configuration > Solution Settings > Connectors > Resource Lookup Keys, then right-click > New > Resource Lookup Keys.
    1. Name it (as example lets call it 'Email Key').
    2. Under 'Target Resource Type', select 'User'.
    3. Under 'Select Dataclass', select 'Global User General Details' and click on 'Email'.
    4. Apply.



  2. Go to Configuration > Solution Settings > CMDB Solution > Merge Rules, then right-click and choose New > Resource Merge Rule.
    1. Name it (for example, lets call it "Email Resource Merge Rule").
    2. Under Resource Type, select User.
    3. Under Merge Key, select Email Key.
    4. Select Enable Schedule and add a schedule that runs after User AD Import Rule finished importing your Users.
    5. Click Apply.

This process should merge any User that has the same email entry and merge the information as one resource.


Applies To
Notification Server 6.0 SP3
Altiris Active Directory Connector 6.1.480

Attachments

Powered by Wolken Software