Controlling how local AD imported users or Azure AD imported user names are be stored in “Symantec_CMDB” database or merged by directoryid resource key
Article ID: 385966
Updated On:
Products
Issue/Introduction
Use Case:
You are using your own SQL queries for custom Filters, therefore AD imported data must be shown like DomainName\UserName in database.
Environment
ITMS 8.7.2, 8.7.3
Resolution
After applying point fix “SMA_SMP_8_7_2_PF_v8.zip” (on KB 366939 "CUMULATIVE POST ITMS 8.7.2 POINT FIXES") or “SMA_SMP_8_7_3_PF_v2.zip” (on KB 382575 "CUMULATIVE POST ITMS 8.7.3 POINT FIXES") there is a new functionality available to control how local AD imported users or Azure AD imported users names will be stored in “Symantec_CMDB” database or merged by directoryid resource key.
How it worked before
After running a Users AD import, their names shown as display name/full name in the database.
For this purpose, after applying point fix “SMA_SMP_8_7_2_PF_v8.zip” (or later) or “SMA_SMP_8_7_3_PF_v2.zip” (or later), all existing Local AD Import rules and Azure AD import rules have new “Custom resource keys and names” option auto enabled for each of the AD Import Rules (under Settings>All Settings>Notification Server>Microsoft Active Directory Import OR Actions>Discover>Import Microsoft Active Directory):
and Azure AD Import Rules (under Settings>All Settings>Notification Server>Cloud Authentication>Cloud Active Directory Import):
Example of default rules (under Settings>All Settings>Notification Server>Resource and Data Class Settings>Resource Types>Customization>Custom Resource Names) for local AD import in “Custom Resource Names” policy.
How it works now
After running local Users AD import rule using new option “Custom resource keys and names” enabled, all users names are stored in database in invariant name "Domain\Username" instead of previous "Full Name/Display" name.
Now, if you do not want to use this new functionality, just uncheck this new option “Custom resource keys and names” option from any of your AD Import / Cloud AD Import Rules.
OR just disable global “Custom Resource Names” policy.
Use Case:
when you have a local AD synchronized with Azure AD and all local AD users are migrated to Azure AD which causes ‘duplicate’ user names appearing in SMP Console after local AD users and Azure AD Users import
See KB 384426 "Importing Microsoft Entra groups creates additional users" for initial details on these changes to avoid this situation.
Without new functionality, previously you may ended having ‘duplicate’ users shown in the SMP Console.
Now enabling “Custom resource keys and names” option in your Local AD and Azure AD Import rules, all ‘On-premise’ synchronized users in Azure AD and Local AD imported users will be merged using these default “User” AD and AZ directoryid keys.
As result, if you run “Azure AD Users” import rule with enabled "Custom resource keys and names" option, then there will be only a single Azure user shown.
Next time that you execute your Local “Users AD Import rule" with enabled “Custom resource keys and names” option, then as result, there will only single user from your local AD.
Use Case:
You would like to keep all ‘on-premises’ synchronized users names Azure AD imported in database not in Azure “PrincipalUserName” format like [email protected] but in another way
This is how by default will be shown user names in the database after Azure AD import.
You will need to manually create new custom "iname" keyname rule for AZ (Azure).
Example:
After Azure Users AD import rule execution, these user names will be shown in this way:
Or another example where you manually typed required Domain name in custom resource name for Azure (In this example manually specified domain IGORP and \{0} this will be user name takes from onPremisesSamAccountName property in Azure AD).
Then after next Azure AD Users import, their names will be shown in this way in database.
Feedback
