When running a user import rule via the Microsoft Active Directory Import feature, with create organizational unit filters enabled, you may notice the associated filter is not updating to show the correct membership. For example, the security group in Active Directory may have 10 members, but the filter created from the import rule only has five members.
The association between the user and the import rule has been broken. When a resource, such as a user, is imported from the Microsoft Active Directory Import tool, it's associated with the rule that imported it. If that rule is later deleted, the association is now broken. Creating a new rule to import the resources will not resolve the issue. As of April 21, 2023, this could be a bug.
The first item to take care of would be to make sure you have a current backup of your Symantec_CMDB database.
In order to resolve this issue we are going to find the orphaned GUID and associate that to the import rule in question.
In SQL, run the following query taking note of the GUID(s) returned:
select r.Name, ii.* from Inv_Import_Rule_Imported_Items ii join vRM_Resource_Item r on r.Guid = ii._ResourceGuid left join Item i on i.Guid = ii.ImportRuleGuid where i.guid is null
The next step is to get the GUID of your import rule. You will want to run the following query, reviewing the Name column to find the import rule in question. Take note of the GUID returned from the query.
select * from vItem where classguid = 'B2378265-2779-49E6-998D-8BE620B3D9D9'
Now you should have the GUID for any missing associations to the import rule. You should also have the GUID of your current import rule in question.
We will now run the following SQL query to associate them correctly:
declare @newRuleGuid as uniqueidentifier = 'CC678B17-6D35-4221-99B9-BBDBC036E49A' --Put GUID found from Step 2 Here , @oldRuleGuid as uniqueidentifier = '65B1BD43-BC8D-4CE5-AE4B-D771282E5180' -- Put GUID found in Step 1 Here update Inv_Import_Rule_Imported_Items set ImportRuleGuid = @newRuleGuid --New Rule Guid where ImportRuleGuid = @oldRuleGuid --Old Rule Guid update [DirectoryImportRuleTree] set [ImportRuleGuid] = @newRuleGuid --New Rule Guid where [ImportRuleGuid] = @oldRuleGuid --Old Rule Guid update [Inv_Directory_Import_Associations] set [ImportRuleGuid] = @newRuleGuid --New Rule Guid where [ImportRuleGuid] = @oldRuleGuid --Old Rule Guid
Now you should be able to run your import rule, and the filter membership should properly match the active directory.
If you're using a multi-domain environment, you may see an issue where after running the import rule, the filter membership is now empty. To resolve this, modify the Microsoft Active Directory Rule, and uncheck the option to use Global Catalog for cross-domain searches