• State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 95 subscribers
  • Views 6736 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Synchronization of AD User and AD Groups

marcel.golubarsch
over 7 years ago

Hi,

 

i got a problem while synchronizing from OIM into Active Directory.

We have Domain with different Customers in it. We only manage at this time one customer with OIM.

There are some Active Directory Groups which are shared between the Customers.

 

In the Manager Application i can see that in some of those AD-Groups "Active Directory SIDs" and the Identites from OIM are displayed.

 

Everytime I synchronize from OIM to AD, the OIM Jobserver tries to add this "Active Directory SIDs" again as an Member of the group, although they are in it right now.

 

Is there any Way that there  unmanaged AD-Accounts are ignoriered by Synchronizing?

 

Thanks for your Help

  • 0 over 7 years ago
    Hi Marcel,

    What version are you running?

    The "Active Directory SIDs" will appear when the objects themselves have not been synced. This is expected.

    Are you saying they're removed in 1IM but the sync from AD brings them back? 1IM would not push the members back unless they were removed in the target system. It really depends on your configuration.

    Are you being affected by merging? support.oneidentity.com/.../group-membership-overwritten-in-target-system

    Trevor
  • 0 over 7 years ago

    Hi Trevor,

    no, the "Active Directory SIDs" have never been synchronized with 1IM. But 1IM will add them again as a direct Member to the synchronized Active Directory Group while synchronizing to the Active Directory.

    Is it possible to prohibit this action?

    best Regards

    Marcel

  • 0 over 7 years ago

    Hi Marcel,

    The members reside in the groups in AD and the synchronization from AD to 1IM pulls them in.

    1IM doesn't know these users are "unmanaged" in any way until you tell it so.

    So in this case you need to filter those accounts (members) in some way so that they are not brought in by a sync. Easier said than done I think.

    Trevor

  • 0 over 6 years ago

    Hi Trevor,

    I am filtering in the Synchronization Job only users with the AD-Attribute "Employeeid" filled with "OI%". All the SID-Objects doesnt have this Attribute filled.

    We are tracking changes in Active Directory with "ChangeAuditor" and we can see on every Sync that the Domain Controllers get flooded with failed actions. Thats because the Assignment from SID-Objects to 1IM Groups is already exisiting in AD.

    I have no idea why 1IM want to add these SID-Objects again to this groups.

    Anyone else an idea?

    best Regards

    Marcel

  • 0 over 6 years ago
    Hi Marcel,

    Again, I'm confused. By default a sync is from the target, AD, to 1IM. That direction. If Change Auditor is seeing changes then that would be due to provisioning jobs, i.e. 1IM to the target. Is your sync configured to use a provisioning workflow?

    Any filtering would have to be for the group objects, not users, even though you don't want the sync to bring those users in. But as they still exist in those groups in AD, 1IM marks them as "Active Directory SIDs" and creates table entries for those, ADSOtherSIDInADSGroup.

    But based on the description of the issue I think opening a service request with Support would be a good idea so we could take a look at the sync project and your logs, to get a better understanding of what's going on and how to remediate the issue.

    Trevor