• State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 96 subscribers
  • Views 11610 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Group Memberships not being added in Active Directory ( v 7.0 sp1)

Gabriel Santos
over 8 years ago

We are importing users from HR system and creating a new Person record. Once created  we assign birthright group  membership using business roles.  Identity Manager show the user have  the groups but when I check in Active directory user and computers the user only have Domain Admin Users.

 We have Groups Membership assigned based in  the IT Data for Department and those groups are being projected correctly in AD.  Looks like the issue is only for Groups Membership for business roles.

This functionality was working perfectly and stop working without major changes in our environment. The only change we recall before we notice the issue was this https://documents.software.dell.com/identity-manager/7.0.1/one-identity-manager-connector-user-guide/setting-up-synchronization-with-the-one-identity-manager-connector/configuring-memberships-provisioning this was applied due Identity manager was removing users from groups.

All the users have the Groups Can be Inherit flag set.

I also created a new business role  for testing and for that role worked fine propagating groups membership to AD, but after couple days this new business role stop working like the other business role.

  • 0 over 8 years ago
    It seems that memberships are not published in the Active Directory. Something might be blocking the mechanism as everything was working. Please check, if the Jobs ADS_ADSGroup_Update are generated. What is the status of these jobs? Secondly check whether the missing memberships are to be found in the table DPRMemberShipAction. In general, if the Jobqueue and DBQueue are empty, there should be no entries in the DPRMemberShipAction.
  • 0 over 8 years ago
    I can see ADS_ADSGroup_Update process running but nothing happen. I do have other Department IT Data and the Groups assignment works good there, but not for business roles.

    I have over 1000 entries in the DPRMemberShipAction which indicates something is stopping it. I didn't find a way to wake-up then thru any methods or events.
  • 0 over 8 years ago

    You are running in the Bug 25475 that is fixed in the version 7.0.2. Please update your installation or deactivate the IsAdHocSingleMemberShip for the table.

  • 0 over 8 years ago
    We upgraded to 7.0.2 and I still have the issue. The DPRMemberShipAction still has over 1000 entries.
  • 0 over 8 years ago
    Now all the new memberships should be published correctly to the AD.
    To get the existing over 1000 entries published into AD you need to fire an update operation for groups. The following statement searches the groups from DPRMemberShipAction and updates XDateSubItem for these groups. This triggers the update job.
    declare @y as qbm_YParameterList
    exec QBM_PJobCreate_HOUpdate 'ADSGroup','XObjectKey in (select ObjectKeyBase from DPRMemberShipAction)','123',@y, @p1='XDateSubItem', @v1='2017-01-13 09:39:53.347', @isToFreezeOnError=1
    There might be also other type of objects in the DPRMemberShipAction than only ADSGroups. For these objects please modify the statement.
  • 0 over 8 years ago
    I ran it and only processed small number ( 24 ) for the now over 3000 entries.
  • 0 over 8 years ago
    After running for the small number, I got an error [810029] Object of type Active Directory user accounts does not exist in database or you do not have the relevant viewing permissions.

    For sure I noticed some groups doesn't longer exist in AD and that might be probably the reason for failing, but I still see the entry in the DPRMembershipAction table.

    I got the same error [810029] Object of type Active Directory user accounts does not exist in database or you do not have the relevant viewing permissions. but the AD group exist in AD.
  • 0 over 8 years ago
    The error is saying that the Active Directory user does not exist. The job is trying to process the ObjectKeyMember for the DPRMembershipaction. In this case it points to an ADSAccount that doesn't exist anymore or there are not enough rights.

    The stament processes only those entries from the DPRMembershipaction where ObjectKeyBase is an ADSGroup that still exists in the database. For the other object types the statement needs to be modified. The statement is for help to get the memberships published that were not published in the 7.0.1, because of the bug.
    Cleaning up entries that are not more valid is taken care through the process DPR_MemberShipActions_RemoveOrphanedEntries. It removes all records from DPRMembershipAction having no corresponding job in jobqueue and are older than 10 minutes. Per default this process runs once a day started by the daily maintenance tasks.
  • 0 over 8 years ago
    We just got some new hires and we can see entries in the DPRMembershipAction. Identity Manager is showing the user should have 10 groups, but we validated in AD and only have 2(groups assigned thru department IT Data ).

    We ran the store procedure and daily maintenance task but nothing seems to happen. We reviewed the Job Queue and no errors. We will keep researching to find out. Any clue is appreciated.
  • 0 over 8 years ago
    The DPRMemberShipAction table should be empty after all the jobs are correctly processed. When there are still entries in the table this is an indication that something went wrong. These entries should be carefully handled. First thing to do is to check the jobs why are failing, if there are no jobs that are failing one is most likely running still with the system 7.0.1.
    My suggestion is to run the statement posted in this thread to generate the jobs again. Then analyze what happens to these jobs. There will be one job per each unique ADSGroup in the DPRMemberShipAction.ObjectKeyBase.