How to prevent creating new resources for the same Users when AD Connector is used

book

Article ID: 181600

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

 

Resolution

Question
In some cases, after making changes in the username field for Users in Active Directory (like changing from "domain/john doe" to "domain/jdoe") causes to create a new resource for that User in the Notification Server that later on causes to have as well a new user resource in Helpdesk Solution.

How I can prevent this?

Answer
As you may noticed, we are referencing as a "new resource" and not as a 'duplicate' for the same User. In order to be considered as a duplicate, the entry needs to have the same GUID, NTID, and Email. Since the new resource comes with a different "Username" and "Distinguished Name," the Notification Server considers this entry as a new resource.

In order to avoid creating new resources on the Notification Server and later causing a new User entry in Helpdesk Solution, first see article 42419, "How AD Synchronization works?".

Then, the following can be suggested:

Changing the username on AD, the Notification Server takes it as a new user since the ‘Distinguished Name’ parameter has changed (now the OU appears from ‘CN=John Doe,CN=Users,DC=Domain,DC=com’ to 'CN=JDoe,CN=Users,DC=Domain,DC=com’). When the ‘Users AD Import’ runs, the new ‘username’ comes in as a new resource to the Notification Server. That is why there are two entries for the same user (one with ‘domain/john doe’ and other with ‘domain/jdoe’. Usually this duplicate should be removed when AD Sync runs, since the previous reference on AD should not exists and AD Sync should remove the previous user from the database. However, there is a known issue reported on Article ID: 43504 "Changing LoginID on Active Directory for a user creates a duplicate resource on the Altiris database after user AD Import runs"

Since Helpdesk Sync runs every hour, if it runs before the AD Sync has run, then it creates a new User entry on Helpdesk. Usually Helpdesk recognizes a user that has the same NTID or if it has changed or if the email is the same or different. If the email has changed but not the NTID, then it creates a conflict since it is not allowed to have two users with same email.
Something that can suggest in order to avoid this issue is to clean the duplicates on the Notification Server before Helpdesk Solution synchronizes. Here are some steps to follow:

  1. In the Notification Server Console, go to Configuration tab > Server Settings > Notification Server Settings > Incident Settings and in the main page under the Synchronize resource and incident data with Notification Server option just unchecked it so the Synch can be disable.
  2. Do the changes that you need to do in AD regarding the Username changes.
  3. Then, after cleaning AD, run AD Sync scheduled task.
  4. Then after AD Sync has removed the users that no longer exists in AD, then run a"Full Import" for the "User AD Import Rule" that you are using.
  5. After that, make sure that there are no references to the previous Users under Organizational Types > User. These can be deleted manually if necessary.
  6. Then go back to Incidents Settings and enable the Synchronize resource and incident data with Notification Server option.