The active directory synchronization schedule does not remove users' details for users that were deleted from active directory.

book

Article ID: 206660

calendar_today

Updated On:

Products

Client Management Suite

Issue/Introduction

The ADSync schedule does not remove users' details for users that were deleted from active directory.

Active Directory Sync is not deleting users from Console under Organizational Views>Default>User.

It does correctly delete the users from the Console under Organizational Views>Active Directory Domains>[Active Directory Domain Name].

This happens in ITMS 8.5 RU3 and RU4

1. Create user in AD under an OU

2. Run an User AD Import so the new user can be added

3. Verify that the new User exists under Manage>Organizational Views>Active Directory Domains>[Active Directory Domain Name]

4. Verify that the User is also present under Manage>Organizational Views>Default>User

5. Delete the User from AD (select the User>right-click>Delete)

6. Make sure ADSync is enabled and scheduled

7. Make sure the actual User AD Import Rule is enabled and scheduled

8. Run a Delta (or Full) AD Import for that User AD Import rule

9. Run ADSync schedule to trigger User deletion

10. Verify that User is gone from both places

Results:
Active Directory Sync is not deleting users from Console under Manage>Organizational Views>Default>User.
It does correctly delete the users from the Console under Manage>Organizational Views>Active Directory Domains>[Active Directory Domain Name].

  •  
  •  

Environment

Release: 8.5 RU3 and RU4

Component: Active Directory Sync

Resolution

There is a misunderstanding on how Users are removed in these locations:

  • Manage>Organizational Views>Active Directory Domains>[Active Directory Domain Name] > [OU name]
  • Manage>Organizational Views>Default>User

 

The scenario mentioned above describes correct behavior, because:

a) this is not actually "deleting" in terms of the SMP, as only the OU membership is gone for the User, so it's not under "Active Directory Domains" organizational view

b) until the resource is entirely deleted - it will be visible under the Default organizational view structure, which is a "resource type view" for all resources.

c) actual resource deletion only happens after 7 days (default value), controlled by Core Setting: "ADResyncDeleteResourcesThresholdDays" :

0 - no threshold, delete immediately
N - days since last AD import, when this user was seen there
<customSetting key="ADResyncDeleteResourcesThresholdDays" type="local" value="7" />

 

Note:
Deletion will only happen, if the User resource does not have any inventory changes during this threshold, i.e. if some inventory class data (check is done by ResourceUpdateSummary table) was changed - resource will not be actually deleted. This check is only applied if the threshold value is greater than 0.