• State Suggested Answer
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 96 subscribers
  • Views 3931 views
  • Users 0 members are here
Options
Related

removing coss-domain AD memberships

Christian Stevens
over 6 years ago

We are observing a strange behavior with the AD provisioning in 7.1.3, that might be a basic configuration issue.

We have different AD domains configured via variable sets in the same sync project.
We can add users and computers to AD groups of  different realms, however, we can not remove them.

From IM point of view, the memberships have been removed just fine. The provisioning logs state that the action for the AD group has been successful for Update vrtMembersSID  with a minus (-) and the SID of the object to be removed, as expected. The problem is, that the membership in question still remains in AD, although is was "successfully" deprovisioned.

I understand there are some implications when dealing with cross-domain memberships, that need to be taken into account. I assumed that the AD connector handles these things. Did we miss something? It is particulalry strange that we can ADD but not REMOVE such memberhsips. Is there a way to enable more detailed provisioning logs?

Parents
  • 0 over 5 years ago

    We are currently experiencing the same behaviour in version 8.0.2

    AD cross domain membership added successfully. Deleting this membership gives no error in Synchronization log, no error in jobservice log, but gives the following errors in StdioProcessor.log

    2019-06-25 09:40:39.1026 INFO (SystemConnector d5c02f27-f796-47bd-97a5-97c88ddc15f8) :   Error 80072035 writing object was tolerated because the object is a system object and cannot be changed.
    2019-06-25 09:40:39.1026 ERROR (SystemConnector d5c02f27-f796-47bd-97a5-97c88ddc15f8) :   The server is unwilling to process the request.
     
    2019-06-25 09:40:39.1026 WARN (SystemConnector d5c02f27-f796-47bd-97a5-97c88ddc15f8) :   Object not committed successfully. Retrying using single property commit.
    2019-06-25 09:40:39.1182 INFO (SystemConnector d5c02f27-f796-47bd-97a5-97c88ddc15f8) :   Error 80072035 writing object was tolerated because the object is a system object and cannot be changed.
    2019-06-25 09:40:39.1182 INFO (SystemConnector d5c02f27-f796-47bd-97a5-97c88ddc15f8) :   Error 80072035 writing property vrtMembersAllDn was tolerated because the value to delete is already included.

  • 0 over 5 years ago in reply to Thilo.Fischer

    I have stumbled upon the follwoing suport article:

    https://support.oneidentity.com/de-de/kb/263513/users-are-not-removed-from-universal-groups-by-identity-manager

    However we cannot apply this hotfix in our version. Maybe it helps in your case

Reply Children