How I can prevent this?
As you may noticed, we are referencing as a "new resource" and not as a 'duplicate' for the same User. In order to be considered as a duplicate, the entry needs to have the same GUID, NTID, and Email. Since the new resource comes with a different "Username" and "Distinguished Name," the Notification Server considers this entry as a new resource.
In order to avoid creating new resources on the Notification Server and later causing a new User entry in Helpdesk Solution, first see article 42419, "How AD Synchronization works?".
Changing the username on AD, the Notification Server takes it as a new user since the ‘Distinguished Name’ parameter has changed (now the OU appears from ‘CN=John Doe,CN=Users,DC=Domain,DC=com’ to 'CN=JDoe,CN=Users,DC=Domain,DC=com’). When the ‘Users AD Import’ runs, the new ‘username’ comes in as a new resource to the Notification Server. That is why there are two entries for the same user (one with ‘domain/john doe’ and other with ‘domain/jdoe’. Usually this duplicate should be removed when AD Sync runs, since the previous reference on AD should not exists and AD Sync should remove the previous user from the database. However, there is a known issue reported on Article ID: 43504 "Changing LoginID on Active Directory for a user creates a duplicate resource on the Altiris database after user AD Import runs"
Since Helpdesk Sync runs every hour, if it runs before the AD Sync has run, then it creates a new User entry on Helpdesk. Usually Helpdesk recognizes a user that has the same NTID or if it has changed or if the email is the same or different. If the email has changed but not the NTID, then it creates a conflict since it is not allowed to have two users with same email.
Something that can suggest in order to avoid this issue is to clean the duplicates on the Notification Server before Helpdesk Solution synchronizes. Here are some steps to follow: