0 Replies Latest reply on Aug 11, 2015 9:16 AM by phlegm

    How to exclude branch from AD sync? Duplicate users due to domain structure.

    phlegm

      We recently migrated from one domain to another at work. In the new domain we actually can see both. Not sure if this makes sense. Hope this helps.

       

      New domain-------companyA

                                companyB

                                companyC

                               ----------------------old domain trees----------companya

                                                                                          companyb

       

       

      The problem is that our AD sync from the new domain pulls down both branches.

      Our client encryption is set to add users to the preboot that have logged on to that machine previously.

      This means that we end up with user from companya as well as same user from companya on old domaintree.

      They will have different passwords.

       

      Now when a user logs in to preboot there is no domain info and it just seems to pick one randomly to use for the authentication.

      This causes many failures. The fix is to do a recovery to get them booted. Reset their SSO and token and then force them to change their Windows password on the new domain.

      After a sync they are fixed.

       

      Now for my question. Is there a way in our AD sync task to ignore a certain branch of the domain? That way only their new ID's will get pulled down.

      If not what does the encryption client sync task look at when deciding which users to add to preboot.

      As it adds user that have logged onto machine previously does it look for profile folders or registry info etc. Maybe we could push out a change to desktops this way.