The active directory synchronization schedule does not remove users' details for users that were deleted from active directory.
search cancel

The active directory synchronization schedule does not remove users' details for users that were deleted from active directory.

book

Article ID: 206660

calendar_today

Updated On:

Products

Client Management Suite IT Management Suite

Issue/Introduction

The AD Import "Directory Schronization Schedule" (AD Sync) is not removing users' details for users that were deleted from Active Directory.  This is found in the SMP Console as seen below:

AD Sync is not deleting users from the SMP Console under Organizational Views>Default>User.

AD Sync does correctly delete the users from the Console under Organizational Views>Active Directory Domains>[Active Directory Domain Name].

  1. Create a user in AD under an OU
  2. Run a User AD Import so the new user can be added
  3. Verify that the new User exists under Manage>Organizational Views>Active Directory Domains>[Active Directory Domain Name]
  4. Verify that the User is also present under Manage>Organizational Views>Default>User
  5. Delete the User from AD (select the User>right-click>Delete)
  6. Make sure ADSync is enabled and scheduled
  7. Make sure the actual User AD Import Rule is enabled and scheduled
  8. Run a Delta (or Full) AD Import for that User AD Import rule
  9. Run ADSync schedule to trigger User deletion
  10. Verify that the User is gone from both places

    Results:
    Active Directory Sync is not deleting users from the SMP Console under Manage>Organizational Views>Default>User.
    It does correctly delete the users from the Console under Manage>Organizational Views>Active Directory Domains>[Active Directory Domain Name].
  •  
  •  

Environment

ITMS 8.5 x and later

Component: Active Directory Sync

Resolution

There is a misunderstanding on how Users are removed in these locations:

  • Manage>Organizational Views>Active Directory Domains>[Active Directory Domain Name] > [OU name]
  • Manage>Organizational Views>Default>User

The scenario mentioned above describes correct behavior, because:

a) this is not actually "deleting" in terms of the SMP, as only the OU membership is gone for the User, so it's not under "Active Directory Domains" organizational view.

b) until the resource is entirely deleted, it will be visible under the Default organizational view structure, which is a "resource type view" for all resources.

c) actual resource deletion only happens after 7 days (default value), controlled by the Core Setting: "ADResyncDeleteResourcesThresholdDays" and the options are:

0 - no threshold, delete immediately
N - days since last AD import, when this user was seen there
<customSetting key="ADResyncDeleteResourcesThresholdDays" type="local" value="7" />

Note: Deletion will only happen, if the User resource does not have any inventory changes during this threshold, i.e. if some inventory class data (check is done by ResourceUpdateSummary table) was changed - resource will not be actually deleted. This check is only applied if the threshold value is greater than 0.

Note: Pay attention to the NS logs. Sometimes we can make the assumption that the "Directory Synchronization", or even the actual "Users AD Import Rule" Schedule for those Users is turned on when it is not.
     (KB 193879 "ITMS 8.0 HF1 - What has changed in the Symantec Management Console, on the Microsoft Active Directory Import page?")
If you see an entry like this in the NS logs when running "Directory Synchronization" (AD Sync):
     "No directory import rules are scheduled, resync will not perform any actions.","DirectoryResyncItem::ResyncImportedResources","AeXSVC.exe","116","Informational"
this usually indicates that the AD Import Rule has a disabled schedule, so please check this.  Also, we've sometimes seen schedules that were turned "OFF" after upgrades, so be sure and turn these back "ON".

Additional Information

181580 How does the Active Directory Import Synchronization work?

Powered by Wolken Software