The active directory synchronization schedule does not remove users' details for users that were deleted from active directory.

book

Article ID: 206660

calendar_today

Updated On:

Products

Client Management Suite

Issue/Introduction

The ADSync schedule does not remove users' details for users that were deleted from active directory.

Active Directory Sync is not deleting users from Console under Organizational Views>Default>User.

It does correctly delete the users from the Console under Organizational Views>Active Directory Domains>[Active Directory Domain Name].

This happens in ITMS 8.5 RU3 and RU4

1. Create user in AD under an OU

2. Run an User AD Import so the new user can be added

3. Verify that the new User exists under Manage>Organizational Views>Active Directory Domains>[Active Directory Domain Name]

4. Verify that the User is also present under Manage>Organizational Views>Default>User

5. Delete the User from AD (select the User>right-click>Delete)

6. Make sure ADSync is enabled and scheduled

7. Make sure the actual User AD Import Rule is enabled and scheduled

8. Run a Delta (or Full) AD Import for that User AD Import rule

9. Run ADSync schedule to trigger User deletion

10. Verify that User is gone from both places

Results:
Active Directory Sync is not deleting users from Console under Manage>Organizational Views>Default>User.
It does correctly delete the users from the Console under Manage>Organizational Views>Active Directory Domains>[Active Directory Domain Name].

  •  
  •  

Environment

Release: 8.5 RU3 and RU4

Component: Active Directory Sync

Resolution

There is a misunderstanding on how Users are removed in these locations:

  • Manage>Organizational Views>Active Directory Domains>[Active Directory Domain Name] > [OU name]
  • Manage>Organizational Views>Default>User

 

The scenario mentioned above describes correct behavior, because:

a) this is not actually "deleting" in terms of the SMP, as only the OU membership is gone for the User, so it's not under "Active Directory Domains" organizational view

b) until the resource is entirely deleted - it will be visible under the Default organizational view structure, which is a "resource type view" for all resources.

c) actual resource deletion only happens after 7 days (default value), controlled by Core Setting: "ADResyncDeleteResourcesThresholdDays" :

0 - no threshold, delete immediately
N - days since last AD import, when this user was seen there
<customSetting key="ADResyncDeleteResourcesThresholdDays" type="local" value="7" />

 

Note:
Deletion will only happen, if the User resource does not have any inventory changes during this threshold, i.e. if some inventory class data (check is done by ResourceUpdateSummary table) was changed - resource will not be actually deleted. This check is only applied if the threshold value is greater than 0.

Note:
Put attention to the NS logs. Sometimes we can make the assumption that the "Directory Synchronization", or even the actual "Users AD Import Rule" Schedule for those Users is turned on when it is not. (KB 193879 "ITMS 8.0 HF1 - What has changed in the Symantec Management Console, on the Microsoft Active Directory Import page?")
If you see an entry like this in the NS logs when running "Directory Synchronization" (AD Sync) :
"No directory import rules are scheduled, resync will not perform any actions.","DirectoryResyncItem::ResyncImportedResources","AeXSVC.exe","116","Informational",
usually indicates that the AD Import Rule has a disabled schedule, please check it.
ps. We've seen some times schedules were "off" after upgrades, so turn them "ON"