cancel
Showing results for 
Search instead for 
Did you mean: 

FYI: sbadmcl to fix "...change attribute older than current users: Ignoring other changes"

I recently worked through an issue with encryption and the synchronization from active directory.  I was getting errors in the MEE connector logs: "...change attribute older than current users: Ignoring other changes"

Seems some user attribute(s) were no replicating via connector.  Troubleshooting revealed that after our recent AD upgrade the issue began, I had previously pointed the AD Connector to our new DC...

Thank to this forum, I looked at "uSNChanged” value, which wasn't replicated between old and new DCs.  The “uSNChanged” value being higher in MEE than in AD would cause the connector job to ignore changes as was indicated in the connector logs.  To verify, I manually edited the MEE User attributes “SbAdCon0.changes” to “0” for an individual account, the connector log (and MEE DB) indicate updated user attributes... yay.

So it seems that my issue was due to attributes in MEE being interpreted by MEE connector query (sBAdCon0.changes) as newer than that which is in AD within the “uSNChanged” field, therefore not updating… 

Worked out a fix which seems to be working in test… scripting a two part fix to the MEE database using sbadmcl.exe

Step1: (The following will change the connector reference)

     sbadmcl -AdminUser:admin -AdminPwd:xxxxx -command:ChangeBindingname -group:* -OldBind:SbAdCon0.changes -NewBind:SbAdCon9.changes

Step2: Manually run the AD connector which will generate new SbAdCon0.changes

Step3: (The following will remove the previously renamed entries and corresponding (incorrect) values...cleanup:)

     sbadmcl -AdminUser:admin -AdminPwd:xxxxx -command:ChangeBindingname –group:* -OldBind:SbAdCon9.changes -NewBind:

Thought I'd share my experience, since this forum has helped me in the past... and that the documentation (scripting tool guide) lists the -command:ChangeBindingname incorrectly as -command:changebinding which threw me for a loop.

3 Replies
Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: FYI: sbadmcl to fix "...change attribute older than current users: Ignoring other changes"

you could have just deleted the existing binding value, or set it to "0" rather than renaming it?

Re: FYI: sbadmcl to fix "...change attribute older than current users: Ignoring other changes"

Manually doing this on a one-by-one wouldn't be feasible given thousands needed to be updated...

on an individual basis, that would be the way to go for sure.

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: FYI: sbadmcl to fix "...change attribute older than current users: Ignoring other changes"

There are API commands to both delete the binding, and set its value

Message was edited by: SafeBoot on 8/22/11 10:12:16 AM EDT
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community