• Locked Locked
  • Replies 16 replies
  • Subscribers 97 subscribers
  • Views 15137 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to sync changes made in IM to AD

Andrea
over 7 years ago

Hello,

We are facing a weird issue whose scenario is the following: we have successfully synchronized both HR database and Active Directory, we have both Persons and ADSAccounts in our Manager UI and we are now trying to made some modifications in 1IM that we would like to propagate into the Active Directory target system.

We took a test user in the Manager (the ADSAccount object) and we have manually assigned some AD groups to that user but, when we execute the synchronization workflow (from 1IM to AD), the modifications made in the Manager are ignored and the account on AD doesn’t get the new groups. The same behavior happens if we try to remove a user from a group in the Manager: after the workflow execution, no groups is removed from the user.

A different thing happens when we make modifications to the account on Active Directory side: if we remove or add a group to a user and we execute the workflow, the removed group is added again to the user while the added group is removed and so the user is reverted back to their original state. This second behavior is perfectly fine to me since I want IM as the master of the operations but I believe that there is something wrong with my sync project.

After the execution of the sync workflow (that it's using the defaults steps and mappings for users and group) i have the following messages in the execution log:

Information The object (Group_A) of type (ADSGroup) was ignored during synchonization.
Reason: The object has pending M:N provisioning tasks.
Information The object (Group_B) of type (ADSGroup) was ignored during synchonization.
Reason: The object has pending M:N provisioning tasks.

Furthermore there are 2 items in the DPRMemberShipActions that refers to the previous object of type groups:

Add member <Key><T>ADSAccountInADSGroup</T><P>1cec0769-dc41-4685-ade9-a7303e460c3d</P><P>bbf22027-cb22-4138-81fd-2ffa4793b219</P></Key>
Remove member <Key><T>ADSAccountInADSGroup</T><P>1cec0769-dc41-4685-ade9-a7303e460c3d</P><P>a0ef7c75-de33-406e-b2ff-4029fa7481bb</P></Key>

I verified the UID on the IM database and they are exactly my test objects.

Can anyone give some clue?

Thanks in advance,
Andrea

Parents
  • over 7 years ago
    I believe I know what is happening here. There is no provisioning job within the Synchronization Editor, this explains why the ADSGroup_Update jobs never generate. Was this a read only connection at one time and then changed to read/write? If I remove my provisioning job from within Synchronization Editor and then go into Designer and look at "Process Orchestration" -> "Provisioning process operations - this would be empty if I have no read/write sync project setup within Synchronization editor. Can you please open the Synchronization Editor and load the Active Directory sync project. Once opened please click on Workflows and let me know if you see a provisioning job listed if not this is the reason why it is not working.
Reply
  • over 7 years ago
    I believe I know what is happening here. There is no provisioning job within the Synchronization Editor, this explains why the ADSGroup_Update jobs never generate. Was this a read only connection at one time and then changed to read/write? If I remove my provisioning job from within Synchronization Editor and then go into Designer and look at "Process Orchestration" -> "Provisioning process operations - this would be empty if I have no read/write sync project setup within Synchronization editor. Can you please open the Synchronization Editor and load the Active Directory sync project. Once opened please click on Workflows and let me know if you see a provisioning job listed if not this is the reason why it is not working.
Children
No Data