none
MIM Removing Users from Groups randomly? RRS feed

  • Question

  • Hey all, 

    So, not entirely sure what happened - using the basic documented MIM AD and FIM Agents in Sync tool, followed up by the Inbound / Outbound Group Sync rules in portal. All of a sudden a few random users were removed from Groups and I am not sure why, or even where to look for a logical explanation. 

    MIM Is getting all AD users INbound 

    MIM Is getting a selected OU for Groups (other groups exist outside of this OU) 

    MIM Outbound rule is pointing to a specific OU to create Groups from the portal. 

    The groups get created in the Metaverse but don't show up in AD, but running it will remove some users from Groups that are not in this "specific OU" just in the "In Bound Groups OU" - 

    Any ideas? 

    Thanks! 

    Monday, December 10, 2018 6:13 PM

All replies

  • If membership of AD groups is being changed, the best place to start is to look at the event logs in AD directly and verify the AD MA service account is the problem vs. some other system account or user account making the change. You will have had to have audit account management for Success events in order to capture that event on the domain controller.  Assuming the AD MA service account was indeed to blame, you can run into what feels like randomness behavior if the attribute precedence for the member attribute of the group (sync engine - metaverse designer, group object, member attribute precedence) is incorrectly set and/or you are executing your run profiles out of order and have equal precedence set.  I did a quick search and found this blog post that does a great job of explaining attribute precedence of the member attribute.  There are other articles out there too that will help you understand attribute precedence.  I hope it helps you.

    Best,

    Jeff Ingalls

    Friday, December 14, 2018 4:15 AM
  • OUs containing users also need to be in scope of MIM. Meaning, you need to select them in AD MA - Select Containers.

    Nosh Mernacaj, Identity Management Specialist

    Saturday, December 15, 2018 4:49 PM