none
Simple FIM Sync engine deprovisiong question RRS feed

  • Question

  • Hi all

    I'am having trouble deprovisioning users after they have been deleted/filtered from the source AD.

    So this simple setup provisions users from Source AD into Destination AD, I only have 1 filter. Provisioning and updating works great, but when a user is deleted or the filtered attribute is removed from the Source AD the user is not deleted in the destination AD.

    The user object is removed from the Destination ADs connector space and the metaverse, but not the destination ADs connector space and AD. The object remains at changes:ADD.

    I have setup Object deletion Rule: Delete metaverse object when any of the following management agent is disconnected (Selected the Source AD)

    and Destination AD MA Deprovisioning: Stage a delete on the next export to run.

    Is there something I have missed?

    Andre


    Andre

    Monday, December 14, 2015 8:02 PM

All replies

  • How about the metaverse. Is user deleted in the MV?

    I suspect the Delete metaverse object when any of the following management agent is disconnected is not working. Make sure you the source AD as checked.


    Nosh Mernacaj, Identity Management Specialist

    Monday, December 14, 2015 8:06 PM
  • Hi Nosh, yes the object is removed from the MV. and I have tried to check both AD and only one AD in Object deletion rule.

    I have now deleted all the AD accounts in the destinationAD manually and run full sync schedule. It seems to have sorted somethings out. But I will have to wait and see..


    Andre

    Monday, December 14, 2015 8:36 PM
  • Can you send me a screen shot of that deletion rule, please.

    Nosh Mernacaj, Identity Management Specialist


    Monday, December 14, 2015 8:58 PM

  • Andre


    • Edited by froand Tuesday, December 15, 2015 7:57 AM picture did not show
    Tuesday, December 15, 2015 7:55 AM
  • Looks right. 

    If you look someone up in AD Connector Space, someone who should have been deleted, can you please show me that?

    It is possible that you have a filter that is removing the user from TargetAD once the object is deleted from SourceAD. 


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, December 15, 2015 4:03 PM
  • Here is a user that should have been deleted:

    Yes, we have connection filter on the SourceAD MA, which filters out objects without a required attribute SKL.


    Andre

    Wednesday, December 16, 2015 9:17 AM
  • I need the filter from the targetAD.  Your issue is with the target not source.

    Nosh Mernacaj, Identity Management Specialist

    Wednesday, December 16, 2015 7:57 PM
  • ok, there is no filter on the targetAD/destinationAD.

    Andre

    Wednesday, December 16, 2015 9:05 PM
  • The only other thing is to see what happens when a user is deleted in MV. Are you getting errors during Export to AD?  maybe you don't have the rights to delete in Target AD.

    Nosh Mernacaj, Identity Management Specialist

    Wednesday, December 16, 2015 9:16 PM
  • No errors on export. I can successfully create accounts i DestinationAD when I run an export. When the user is deleted in the MV, there is no delete export action triggered.

    The DestinationAD MA service account is Domain admin as we speak. Just for the test.

     

    Andre

    Tuesday, December 22, 2015 10:24 AM
  • Do you have projection in Target AD, by any chance?

    Other then that, I cannot think of any reasons why


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, December 22, 2015 3:23 PM