cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

FYI: sbadmcl to fix "...change attribute older than current users: Ignoring other changes"

I recently worked through an issue with encryption and the synchronization from active directory.  I was getting errors in the MEE connector logs: "...change attribute older than current users: Ignoring other changes"

Seems some user attribute(s) were no replicating via connector.  Troubleshooting revealed that after our recent AD upgrade the issue began, I had previously pointed the AD Connector to our new DC...

Thank to this forum, I looked at "uSNChanged” value, which wasn't replicated between old and new DCs.  The “uSNChanged” value being higher in MEE than in AD would cause the connector job to ignore changes as was indicated in the connector logs.  To verify, I manually edited the MEE User attributes “SbAdCon0.changes” to “0” for an individual account, the connector log (and MEE DB) indicate updated user attributes... yay.

So it seems that my issue was due to attributes in MEE being interpreted by MEE connector query (sBAdCon0.changes) as newer than that which is in AD within the “uSNChanged” field, therefore not updating… 

Worked out a fix which seems to be working in test… scripting a two part fix to the MEE database using sbadmcl.exe

Step1: (The following will change the connector reference)

     sbadmcl -AdminUser:admin -AdminPwd:xxxxx -command:ChangeBindingname -group:* -OldBind:SbAdCon0.changes -NewBind:SbAdCon9.changes

Step2: Manually run the AD connector which will generate new SbAdCon0.changes

Step3: (The following will remove the previously renamed entries and corresponding (incorrect) values...cleanup:)

     sbadmcl -AdminUser:admin -AdminPwd:xxxxx -command:ChangeBindingname –group:* -OldBind:SbAdCon9.changes -NewBind:

Thought I'd share my experience, since this forum has helped me in the past... and that the documentation (scripting tool guide) lists the -command:ChangeBindingname incorrectly as -command:changebinding which threw me for a loop.

3 Replies
Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: FYI: sbadmcl to fix "...change attribute older than current users: Ignoring other changes"

you could have just deleted the existing binding value, or set it to "0" rather than renaming it?

Re: FYI: sbadmcl to fix "...change attribute older than current users: Ignoring other changes"

Manually doing this on a one-by-one wouldn't be feasible given thousands needed to be updated...

on an individual basis, that would be the way to go for sure.

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: FYI: sbadmcl to fix "...change attribute older than current users: Ignoring other changes"

There are API commands to both delete the binding, and set its value

Message was edited by: SafeBoot on 8/22/11 10:12:16 AM EDT
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.