Cleaning up Active Directory (AD) imported computer accounts created by deleted AD import rules

book

Article ID: 151975

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

Resources imported by a Microsoft Active Directory Component import are not being deleted by the Active Directory Synchronization scheduled event.

Cause

The synchronization schedule takes all resources pulled in by all Active Directory import rules and deletes them if they do not exist in the Active Directory (Unless it has become a managed computer then Purge Maintenance will do any removal). Because of this design, if a rule gets deleted, the synchronization schedule will not process the resources which were imported by it. The associations to the deleted rule need to be removed and the resources re-associated with an active corresponding rule. Then the Active Directory Synchronization will process the resources correctly.

Resolution

 

The following SQL Query will find the resources in the database, which were imported by a rule which no longer exists and associate them with a current valid rule:

declare @RuleGuid uniqueidentifier
Set @RuleGuid = (select top 1 Guid from Item where ClassGuid = 'B2378265-2779-49E6-998D-8BE620B3D9D9')
select ii._resourceguid, isnull (i.guid, @Ruleguid) as 'ImportRuleGuid', ii.ResKey, ii.IncludeInImportRule
into #UnmappedResources
from Inv_Import_Rule_Imported_Items ii
 left Join item i on i.guid = ii.importruleguid
 join item i2 on i2.guid = ii._resourceguid
where i.name is null
and i2.classguid in ('539626D8-A35A-47EB-8B4A-64D3DA110D01', '9C8915A5-71DD-475D-A7B0-77CE8D0550B7',
'0BB82B8A-2C29-4962-B849-DBE18017DAA6', '9B9FF898-44D5-482E-8B9E-3F9997BD880E')
and ii._resourceguid in (select ii._resourceguid
  from inv_import_rule_imported_items ii
  left join item i on i.guid = ii.importruleguid
  where i.guid is null
  and ii._resourceguid not in (select ii._resourceguid
   from inv_import_rule_imported_items ii
   join item i on i.guid = ii.importruleguid))
insert into Inv_Import_Rule_Imported_Items
(_ResourceGuid, ImportRuleGuid, ResKey, IncludeInImportRule)
select _ResourceGuid, ImportRuleGuid, ResKey, IncludeInImportRule from #UnmappedResources
Drop table #UnmappedResources
 
If there are computers that were imported from different domains please see SymWISE Article TECH24681
 

Note: For NS7, here is the updated query (using vItem instead of item to locate a current valid import rule). 
 
declare @RuleGuid uniqueidentifier
Set @RuleGuid = (select top 1 Guid from vItem where ClassGuid = 'B2378265-2779-49E6-998D-8BE620B3D9D9')
select ii._resourceguid, isnull (i.guid, @Ruleguid) as 'ImportRuleGuid', ii.ResKey, ii.IncludeInImportRule
into #UnmappedResources
from Inv_Import_Rule_Imported_Items ii
 left Join vitem i on i.guid = ii.importruleguid
 join vitem i2 on i2.guid = ii._resourceguid
where i.name is null
and i2.classguid in ('539626D8-A35A-47EB-8B4A-64D3DA110D01', '9C8915A5-71DD-475D-A7B0-77CE8D0550B7',
'0BB82B8A-2C29-4962-B849-DBE18017DAA6', '9B9FF898-44D5-482E-8B9E-3F9997BD880E')
and ii._resourceguid in (select ii._resourceguid
  from inv_import_rule_imported_items ii
  left join vitem i on i.guid = ii.importruleguid
  where i.guid is null
  and ii._resourceguid not in (select ii._resourceguid
   from inv_import_rule_imported_items ii
   join vitem i on i.guid = ii.importruleguid))
insert into Inv_Import_Rule_Imported_Items
(_ResourceGuid, ImportRuleGuid, ResKey, IncludeInImportRule)
select _ResourceGuid, ImportRuleGuid, ResKey, IncludeInImportRule from #UnmappedResources
Drop table #UnmappedResources
 

Applies To

Notification Server 6.0,
Microsoft Active Directory Component 6.1

Symantec Management Platform 7.0