5 Replies Latest reply on Jun 8, 2011 10:25 AM by SafeBoot

    User moving Groups in Endpoint

      I seem to have a strange issue where every morning a user seems to move from one group in endpoint to another and messes up here Safeboot, There is a script with syncs all users and machines from the AD but would this cause the user account to move ?

        • 1. Re: User moving Groups in Endpoint

          your script is the obvious target for investigation - does it create any logs?

           

          The Connector Manager would do that based on group mapping rules, but if you're using your own script to do that task you need to look there.

          • 2. Re: User moving Groups in Endpoint

            I am using the Connector Manager and when the log file is examined the section for the user states as follows.

             

            01/06/2011 11:32:54  Checking Endpoint Encryption User Person_A

            01/06/2011 11:32:54  ...Logon hours updated

            01/06/2011 11:32:55  ...moving user from Users - Active group to User Default group

             

            there seems to be nothing different to this users profile on the AD or within Endpoint to suggest why the script would move her and this seems to be the only user having this issue. 

             

            Do you have any ideas or a course of action ?

            • 3. Re: User moving Groups in Endpoint

              it's due to the group mappings you have set up - something in that user is causing it to get mapped to that group.

               

              I would look at the user with LDAPBrowser, and compare their attributes to the rules you've set in the group mappings - maybe there's a typo in their AD record or something. These things are usually quite obvious when you get to the real facts of the matter.

              • 4. Re: User moving Groups in Endpoint

                It appears the the issue is to do with the AD connector this was not used in the previos version of the setup.  Before when the encryption was deployed it checked the user logging on a script ran locally on the computer and added it to the EEM.  I have noticed now that the users being added using the AD connector have different bindings and these are the users that move when the AD Connector Sync's.

                Old Script added users have.

                SBADCON1.att - objectGUID, SBADCON1.val - USERID, SBADCON1.username - USERID.

                 

                The AD Connector added users have

                SBADCON0.changes - NUM, SBADCON0.username - USERID.

                 

                Any Advice ?

                • 5. Re: User moving Groups in Endpoint

                  the connector is doing what its configuration tells it to do - but, that connector won't touch users created with your script (they are set to use a different connector instance).

                   

                  so, again, the users move because the connector group mappings tell them to be somewhere they are not - you I guess are moving them back, and then the connector is putting them back where it's been told to put them.

                   

                  So, you need to edit the group mappings to make the users go where you want them to be.