Showing results for 
Search instead for 
Did you mean: 

Active directory name change

Hello all,

  I am in the process of building up EEM to roll out to different agencies with in my domain, for ease of management each agency has created a group im AD that will synch via the connector to the EEM group.

Thanks to this forum I got it working and it's great.

a few things I noticed:

If I have 1 user in the AD membership and synch to the EEM group it replicates find. if delete the 1 member in the  AD group it   disable it in EEM, however if I have more than 1  it works, example I have 3 users i delete 2 in AD 2 get removed in EEM.

another issue I have is if I change the account logon name I was not able to see the change in EEM example: Jane Doe has an AD account JDoe the new account was added to the AD group Synchs with EEM and I have the account in the appropriate EEM group, Jane Doe changes her name it's now Jane Smith

AD account is now changed to JSmith at replication the EEM account is still JDoe

I do not know if I am missing out on anything or for some reason the connector doesn't recognize the change.

I thank you all in advanced as I am learning this as I go which i inherited and we want to implement this ASAP I found these forums to be EXTREMELY helpful.

17 Replies
Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 2 of 18

Re: Active directory name change

check your connector log - it will tell you why the rename did not occur - perhaps the SAMAccountName for the user did not change, or, you are not using SAMAccountName for bindings?

regardless, the log will tell you what's going on.

Re: Active directory name change

you are so quick to response and thank you!!

I did check tyhe logs and it picks up the account (old name) and states: no changes

and yes I am using the connector and I am using the samaccount

Thank you again

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 4 of 18

Re: Active directory name change

check the last change attribute between EEM and your AD - maybe the connector is talking to a different server than the one the account was first collected from, and the change attribute is higher than the value stored in EEM.

Re: Active directory name change

That is one of reasons that is good to know "Change attribute" setting. You should use only one server for AD LDAP connection, or get rid (empty) that value in EEM connector settings.

Re: Active directory name change

First of all, there are quite a number of connector settings. It would be useful, if you can list what you have set up in:

  • "User information" section -> "User attributes" tab -> "Binding attribute", "User name" and "Change attribute"

Did you setup connector log in main connector properties -> "Log" tab -> checkmark in "Enable loggin of connecto's activity"?

If you did, it would be nice to see that log too.

Re: Active directory name change

I attached a screenshot of the settings

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 8 of 18

Re: Active directory name change

there's your problem - who ever set it up changed the binding attribute to be DN, instead of ObjectGUID - the DN changes when the name changed, so the connector won't find the original user any more.

the binding attribute should be something that's the same for the life of the account, not something that changes when the account moves OU, or changes name as you found.

You really need to set this back and use something like LinkUser to rebind everyone, otherwise your connector is going to be useless.

Re: Active directory name change

You have changed Binding attribute to "dn". When you rename user, distinguished name was changed also, so it cannot carry the change.

Use default "objectGUID" to link EEPC user and AD user, more permanently.

Could you post connector log also? Situation would be more evident there.

Re: Active directory name change

i tried changing those settings and it did not work, what I did find out that I had to change the account name in the pre window 2000 box (ehs\accountname) then the change replicated

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community