Knowledge Partner
Knowledge Partner

Re: IDM 3.6/W2K8 AD - group member sync issue

On 14.08.2012 22:46, ambradley wrote:
> We've got a problem, unsure how it happened, where group members in eDir
> and AD do not match on at least a few of the >1,000 groups. It is a
> seemingly impossible task to verify whether the group members match
> because group membership is stored by CN in both, but CNs don't match in
> the two systems (CN in eDir matches sAMAccountName but not cn, which is
> in a "Last, First@DEPT" format).
> The AD forest and domain functional level are Windows 2008 so it does
> delta group member adds and deletes. I tried exporting then deleting and
> adding (changetype: modify, replace: member) all members from a group in
> eDir that I knew had at least one mismatch, but when the event syncs via
> IDM and it attempts to remove a user that isn't in the group in AD, it
> throws an LDAP_UNWILLING_TO_PERFORM error and none of the users get
> deleted.
> I'd almost prefer to have the W2K3 style of group member updates so
> that it removes, then re-adds all members. Is it OK for me to change the
> AD functional level in the driver, remove and re-add all group members,
> then change it back? Or, does anyone have a more elegant solution?
> Another possible solution that just came to mind is to massage the eDir
> LDIF export of group members into a separate LDIF entry for each member
> of each group - remove each group member one by one, let it error on the
> members not in the AD group, then add all the members back to the
> groups. What do you think?

Why not try adding a policy (in your output transform I guess) that
breaks out each group membership add or remove operation into a separate
modify operation. Then try to resync the affected groups twice, the
first time, ignore any errors.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Labels (1)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.