Jump to content

LDAP Import - Archive used who are disabled AD


Recommended Posts

Our LDAP Import process for creation of Basic users has been running for a number of years, where we only excluded users who where already disabled. 

(&(objectCategory=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

We are now setting up a further import process to set the account status to 'Archived' where an AD account is disabled, in order to automate the process. However the import tool seems to be having two issues

(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2))
  • It tries to create the user if it did not already exists, i.e. was disabled many years ago.
  • Fails to update existing user to archived as currently active. Error: User already exists with account status: active

Cheers

Martyn

Link to comment
Share on other sites

Following this with interest in case there appears to be a better way to manage archived users discussed on here. 

Currently all archived users in AD on our side are moved to an Archived OU as part of the leavers process, with an x in front of their email addresses. 

We populate the description field with the month they were archived and manually delete them after a few months by checking that description field regularly. 

Link to comment
Share on other sites

Hi Martyn,

 thanks for your post.

In relation to the two points you mention:

1) The utility tries to create the user if it did not already exists, i.e. was disabled many years ago.
This is one of the principles that all of Hornbill's user import tools operate on. If the import does not find a matching user id, it believes the user does not exist and so will create it. Therefore, with an import configuration intended to manage the archiving of users, there will be a certain amount of redundant accounts imported the first time it's run. Perhaps there's an opportunity to refine your LDAP filter criteria to only focus on more recently disabled user objects?


2) Fails to update existing user to archived as currently active. Error: "User already exists with account status: active"
I would double check that the status is indeed set to "archived" and ensure the action is set to "Create and Update". 

 

On a general note, is there a reason why you maintain disabled user objects in your AD long term?

I hope that helps.
Dan

Link to comment
Share on other sites

@DanielRi

Thanks for the response. In terms of why we maintain disabled users objects in our AD long term, is just one of our IT Team's Policies, which we do not have control over.

In terms of point one and filtering more recently disabled user objects it look like I can use the 'whenChanged' property to filter some of the them out.

(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2)(whenChanged>=20160101000000.0Z))

In terms of it failing to update an existing user, the action is set to 'Only Update' value 'Archived'.  Why does the action needs to be 'Create and Update', what is the difference between the two update types in this context?

image.thumb.png.4ba2c3f72b140200d073a5dcc0980885.png

Cheers

Martyn

Link to comment
Share on other sites

Due to how the imports operate, there will be users created on the first run of this configuration. This means that we need to cover for that scenario and ensure the status is set on creation of a user (as well as on update of any existing user). Upon creation of a user, I believe the default status will be "active".

Link to comment
Share on other sites

@DanielRi

I have updated the action to Create and Update for the status action.

It looks like the LDAP Import process only pre-loads 'Active' user accounts, so then attempts to create accounts for accounts which are already present either in the 'Archived'  or 'Suspended' state.

 

User Create: taxxxxx.xxxxxkh
2019/05/28 14:10:56 [ERROR] Unable to Create User: taxxxxx.xxxxxkh Error: User already exists with account status: suspended

Perhaps the issue is that the tool should pre-load all accounts?

Cheers

Martyn

Link to comment
Share on other sites

Thanks for the clarification. I'm not entirely convinced (yet) that the "Failed to Create User..." error is related to the failure to set the account status. I believe that where the utility is concerned, the creation of the user account and the setting of the status are separate actions (If you inspect the userCreate method call, account status does not feature in its inputs - https://api.hornbill.com/docs/admin/?op=userCreate). First the utility will create the account via "userCreate", and then make additional method calls (such as userProfileSet, userSetAccountStatus, etc,) to complete the exercise.

The question is, is it trying the "userCreate" blindly, rather than checking for an existing user id first, and then moving onto the additional calls after as normal, or not bothering with the additional calls at all?

Anyway, that aspect may be worth raising with Hornbill Support but before heading in that direction, are you able to confirm the version of the utility you're currently using? A few bells began to ring while typing the above (but now I've written it I'll leave it be :) ), and just checking the release notes I can see that prior to version 3.03, the user account status section was completely ignored when processing a user account. Versions of 3.03 or later have the fix.

Thanks,
Dan

Link to comment
Share on other sites

@DanielRi

We are currently running V3.1.5 of the LDAP utility.

We do have another issue which is with Hornbill Support which relates to the password policy and the auto password generator, but this gives a different Create User Error when the user does not exist at all, so I was presuming that was different. I have a workaround for the latter, so will see if this has any affect on this one.

Cheers

Martyn

 

Link to comment
Share on other sites

@DanielRi

Though it did not seem to report in the log, it appears the issue was with the default page size of 500 on the 'Advanced Options' tab.

Setting this down to 100, allowed the process to run and no longer attempted to create accounts that already existed./

I will monitor it operation over the next week or so.

Cheers

Martyn

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...