6 Replies Latest reply on Jun 29, 2009 5:53 AM by mustangmike

    Problems with AD Sync pulling user accounts across

      We have been running our AD connector for our environment for some time. Just after the recent upgrade to 5.1.7 we noticed that our help desk users were not coming over, to the correct group and were being dropped in the (no mappings) group. We have done everything, created a new security group, repointed it to endpoint. When we added a completly new user to the security group, that user did come over into the proper user group in Endpoint.

      However, doing a delete with an old account in AD and a recreate does not produce the same results? I seems like for whatever reason, Endpoint is ignoring those accounts that at one time presented no problems at all.

      Thanks
        • 1. RE: Problems with AD Sync pulling user accounts across
          what does the connector log tell you?
          • 2. RE: Problems with AD Sync pulling user accounts across
            I'm not on that end of the setup its done higher up by a different group. But they have had us making all kinds of changes, but the users never make it into the group...

            Thanks
            • 3. RE: Problems with AD Sync pulling user accounts across
              they need to look at the connector logs then - that will tell them why the users are being ignored.
              • 4. RE: Problems with AD Sync pulling user accounts across
                Thanks, I will forward your comments

                Regards
                • 5. RE: Problems with AD Sync pulling user accounts across
                  mwilke
                  I am working with ol MustangMike on this too. Here is what is happening.

                  Everything was working as should be up until we upgraded them to 5.1.8

                  Since then, it is moving the users that are supposed to go to their MEE Help Desk group to the NO MAPPINGS group we have setup in the Object Directory.

                  These users are being mapped to a specific Security Group in AD.

                  There are 9 users who are a member of this security group and everytime the connector runs it moves these 9 folks to the NO MAPPINGS group because it says that no mapping exists.

                  If we create a brand new user in AD and tie them to the same security group and then run the AD Connector, it moves the 9 originals to NO MAPPINGS and puts the new AD user in the proper MEE Help Desk group.

                  So i know there is no issue with the syntax of the mappings or any of the settings otherwise all members of this security group would behave the same. I am thinking this is something weird in AD that is going on. I have looked at the sync logs and it doesnt say that it is ignoring the users, it says that they are being moved and no indication as to why. I know why, the AD connector is not recognizing that these folks are actually a member of the Security Group but why is it moving the one new guy to the proper place?


                  Any suggestions, anyone had anything similar ????

                  I am fresh out of options at this point.
                  • 6. RE: Problems with AD Sync pulling user accounts across
                    We had seen similar behavior before the upgrade with security groups that for what ever reason would fail to get those users into the proper Endpoint groups. We had one case that we have the same users in two security groups that both were being seen by the Endpoint Connector, one group was added one week, pulling those folks into the unintended group in Endpoint, a couple of weeks later, the "intended" security group was added, but accounts are only allowed to exist once, so Endpoint was ignoring the second security group contents, (as it should).

                    Once we found that we had by mistake pointed users twice in Endpoint, we removed those users from the first security group, leaving only the intended users in the 1st security group, well after many sync's Endpoint failed to allow those users to be mapped to the intended security group?

                    What did we do? We deleted the intended security group, created a new one in AD, pointed Endpoint to it, and that worked. However, this is not the case with our current issue that we are discussing now.