cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
FDRLLGR
Level 7
Report Inappropriate Content
Message 1 of 11

Active Directory Users - Slow Ldap sync and stale accounts

Is the LDAP sync designed only to add users to ePO but not remove them when they have been deleted?

We are seeing an issue were we seem to be accumulating user accounts in ePO this has gone so far that we now almost have the double amount of users in the ePO DB compared to what we have in AD.

We are also seeing a slow LDAP sync server task which is taking up to 3 hours although we are not that big a company; < 6000 users. Any ideas are appreciated.

Thank you!

10 Replies
McAfee Employee hem
McAfee Employee
Report Inappropriate Content
Message 2 of 11

Re: Active Directory Users - Slow Ldap sync and stale accounts

If you are using AD  users to login to ePO server then user will not be deleted if gets removed from AD. 

Reason: if you delete the users from ePO server then you will also loose policies/tasks/queries that user has created.

 

ldap sync task should not take 3 hours. I would first start looking server task log. Do it stuck at some particular user group?

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?please select Accept as Solution in my reply and together we can help other members?
McAfee Employee vivs
McAfee Employee
Report Inappropriate Content
Message 3 of 11

Re: Active Directory Users - Slow Ldap sync and stale accounts

Hello,

We do have an option in the System Tree>Group Details:Edit>Active Directory

clipboard_image_0.png


Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 11

Re: Active Directory Users - Slow Ldap sync and stale accounts

There are 2 different ldap sync types. One from system tree that you sent screenshot of, syncs only systems, not users, from the active directory OU's that you are pointing the sync point to. The sync ldap users is used for user based policy assignments, not epo login accounts. That syncs the users in AD so they can be assigned to systems for purposes of encryption, or other user based policy assignments. So we need to identify exactly what is stale. Computer systems, epo user accounts, or what?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

FDRLLGR
Level 7
Report Inappropriate Content
Message 5 of 11

Re: Active Directory Users - Slow Ldap sync and stale accounts

I was referring to users of our Windows 10 client systems, i.e. not ePO users and not machine accounts. Thank you!

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 11

Re: Active Directory Users - Slow Ldap sync and stale accounts

If you are leaving systems in system tree as they are removed from AD, then that will produce the issue with your old systems still hanging around in epo. You should always delete them, but don't check the box to remove agent. If the systems no longer exist, then will never get the uninstall command.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

FDRLLGR
Level 7
Report Inappropriate Content
Message 7 of 11

Re: Active Directory Users - Slow Ldap sync and stale accounts

I was referring to users of our Windows 10 client systems, i.e. not ePO users and not machine accounts. Thank you!

McAfee Employee hem
McAfee Employee
Report Inappropriate Content
Message 8 of 11

Re: Active Directory Users - Slow Ldap sync and stale accounts

Users of Win 10 machines? Do you mean MDE Activation taking longer time?

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?please select Accept as Solution in my reply and together we can help other members?
FDRLLGR
Level 7
Report Inappropriate Content
Message 9 of 11

Re: Active Directory Users - Slow Ldap sync and stale accounts

Apologies, I am still new to the product so please bear with me ...

 

First of all about the Ldap Sync. I checked the server task log and there are a few entries like the below

   Warning: Recursive loop detected while linking [I am removing the group names here]

Looking at the time codes the process does only takes a minute or two to process these.

The most time is spent processing large groups like the All-HeadOffice Users group and the Domain Users Group. This can take an hour or longer. Our ePO DB is running on a seperate server that recently received a nice resource upgrade. I do not have the exact specs at hand but they are generous. One reason to upgrade the resources was the hope to get the sync times down but it does not show any effect. BTW, we also enabled Database Mirroring which also did not help.

With regard to the users, I was trying to clarify that I am not talking about users that would have access to ePO but to our normal company users. I am starting to think however that what I referred to as an issue with stale user accounts is actually an issue or question relating to FRP keys assigned to AD users. What I first thought to be AD user accounts synced to ePO are probably active keys in the FRP module. At least, that is where they appear. It looks like we have about 10000 keys active while we only have about 5000 users. Why the keys remain in the system even if the AD user has been removed is probably a question for a different forum though. In any case let's stick with the question of the slow sync.

Thank you very much in advance!

 

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 10 of 11

Re: Active Directory Users - Slow Ldap sync and stale accounts

The slow sync isn't necessarily tied to the epo server resources, but also your domain controller, network latency/bottlenecks, sql performance and whether there are deadlocks or not, connection time to the ldap server, etc. So you see, it isn't always that easy to track down. I would first move this to the encryption team for them to work with you on that - sometimes there are ldap settings they are more familiar with that may help. As users are removed from ad, they should be removed from epo also on the sync. So if your frp keys aren't being cleared up, they would know more about that. If you want, I can move this to their forum, or we can leave this here and you open new post explaining encryption issue with that team and let us know results.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community