• Locked Locked
  • Replies 16 replies
  • Subscribers 97 subscribers
  • Views 15387 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to sync changes made in IM to AD

Andrea
over 7 years ago

Hello,

We are facing a weird issue whose scenario is the following: we have successfully synchronized both HR database and Active Directory, we have both Persons and ADSAccounts in our Manager UI and we are now trying to made some modifications in 1IM that we would like to propagate into the Active Directory target system.

We took a test user in the Manager (the ADSAccount object) and we have manually assigned some AD groups to that user but, when we execute the synchronization workflow (from 1IM to AD), the modifications made in the Manager are ignored and the account on AD doesn’t get the new groups. The same behavior happens if we try to remove a user from a group in the Manager: after the workflow execution, no groups is removed from the user.

A different thing happens when we make modifications to the account on Active Directory side: if we remove or add a group to a user and we execute the workflow, the removed group is added again to the user while the added group is removed and so the user is reverted back to their original state. This second behavior is perfectly fine to me since I want IM as the master of the operations but I believe that there is something wrong with my sync project.

After the execution of the sync workflow (that it's using the defaults steps and mappings for users and group) i have the following messages in the execution log:

Information The object (Group_A) of type (ADSGroup) was ignored during synchonization.
Reason: The object has pending M:N provisioning tasks.
Information The object (Group_B) of type (ADSGroup) was ignored during synchonization.
Reason: The object has pending M:N provisioning tasks.

Furthermore there are 2 items in the DPRMemberShipActions that refers to the previous object of type groups:

Add member <Key><T>ADSAccountInADSGroup</T><P>1cec0769-dc41-4685-ade9-a7303e460c3d</P><P>bbf22027-cb22-4138-81fd-2ffa4793b219</P></Key>
Remove member <Key><T>ADSAccountInADSGroup</T><P>1cec0769-dc41-4685-ade9-a7303e460c3d</P><P>a0ef7c75-de33-406e-b2ff-4029fa7481bb</P></Key>

I verified the UID on the IM database and they are exactly my test objects.

Can anyone give some clue?

Thanks in advance,
Andrea

  • over 7 years ago
    Sorry Stefan I didn't see your post, while I was replying to Andrea my post ended with error and by the time it finally posted I noticed your response. Sorry about that.
  • over 7 years ago
    All good :) Especially since my post is missing the "ConnectTargetReadOnly" hint. You are right, if the project was originally created with this setting, those "provisioning objects" are not created.
  • over 7 years ago
    Well, i think you've found out the problem: i compared two 1IM installations, the customer one with the one in my LAB, and in the LAB environment (where everything is working as expected) the list is populated and processes are correctly executed.

    The AD Sync project has been created with the wizard, no trasported projects are involved: I can recreate the project from scratch, isn't a big deal for me.

    Do the operations will get automatically recreated with a new sync project? I noticed that i can even copy/paste processes one by one from lab environment to the customer but I could also consider a full reinstallation since there aren't many things configured right now, apart the connectors in SyncEditor.
  • over 7 years ago
    If you re-create the project using the wizard in the synchronization editor, those objects are created automatically (unless you choose "connect target read-only" as Troy pointed out.).
  • over 7 years ago
    In the AD project of the Sync Editor there are 4 workflows: Initial Synchronization and other 3 custom workflows that i've created for test purposes.
  • over 7 years ago

    If there was only one OOTB workflow created initially, then it is very likely that you selected "read only" last time. Read Only causes that: 1. The provision operations are not created and 2. the workflow "Provisioning" is absent. AD also creates a 3rd one to publish a persons photo to AD (if you like)

     

    edit: the read only setting referred to: