cancel
Showing results for 
Search instead for 
Did you mean: 

Deprovisioning Task for Deleted User Removes All Members of AD Group

jared_kobe
Participant
0 Kudos

Hello all,

I was wondering if anyone had ever encountered this issue before. We're on 7.1 SP5.

Here's the setup, we have several privileges that are linked to Active Directory Group membership. We have tasks set up to add or remove a user from the membership list of the AD group that are linked to the Provision and Deprovision tasks on the privilege. This has been working very efficiently for us: when a user is assigned the privilege they are added to the group, and when it is removed they are removed from the group. There are no approvals involved.

Recently, we've run into an issue that when a user with a privilege gets deleted from the Identity Store, the Deprovision task gets kicked off, but the user DN that is passed in the LDAP task is NULL. This essentially sets the member attribute on the AD Group to NULL, thus removing all members.

Typically it will throw a warning about deleting obsolete entries and never updates the group. The event tasks seem to be kicked off after the entry is removed from the Identity Store, so it does not seem like a timing issue.

We've had this up and running for several months, but only recently have we had the issue. It does not seem to be restricted to any group, but it will not happen for all the groups. The users in question have had other privileges corresponding to AD group access, but those groups were not emptied.

Any help would be appreciated..

Thanks,

Jared

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member2987
Active Contributor
0 Kudos

Jared,

I'd make sure that you're removing the users from the groups before deleting / ModRDNing the user.

If you have it set up this way are you using an Ordered task?

You going to be at TechED?

Matt

jared_kobe
Participant
0 Kudos

Matt,

The problem is that this is not being initiated from a task, but form our nightly maintenance job. These users are falling off because of AD updates outside of our system.

If a DN is deleted from AD, it's already been removed from the groups in AD, but the privileges in our Identity Store haven't synced yet. If we strip all privileges before the entry is deleted, and the DN is no longer valid, the event task will bomb because it is trying to remove a user that doesn't exist anymore.

I'm thinking of just trapping it in the jobs with a script that checks that the user DN is not null. If it is, just skip the entry.

And yes, I will be at TechEd.

Thanks,

Jared

former_member2987
Active Contributor
0 Kudos

Jared,

Strangely enough a similar problem appeared on my current project yesterday.

The solution is very much along the lines of what you're suggesting.

Just have a script that passed the DN and checks if it is empty. If it is, put in a dummy value, uSkip, email notification, whatever.

See you in September!

Matt