none
AD MA cd-error on deleted users as previous Group members RRS feed

  • Question

  • Hi,

    We are running FIM 2010 R2 SP1 and Windows 2008 R2 AD with Recycle Bin enabled.

    A user gets deleted from our HR system, and it turn gets deleted from FIM Portal, AD and FIM MV.

    In AD, this user gets moved to Recycle Bin; and removed from the AD Groups they were a member of (in FIM Portal, AD and FIM MV).

    This deleted user exists in AD Connector Space as: Placeholder CN=username\0ADEL:<some GUID>\CN=Deleted Objects,DC=....

    When Exporting (Run Profile) the AD MA, we now get the following error on the Group object the user used to belong to:

    Error: cd-error
    Source Error Code: 1168
    Source error: Element not found

    Group membership modification is trying to occur, and we can also see the following in the error:

    Changes: Delete
    Value: CN=username\0ADEL:<some GUID>

    Any idea on how to resolve this?

    Thank you.

    Thursday, November 13, 2014 3:33 AM

Answers

  • Hi,

    never had this, just a guess:

    you can try to exclude the Deleted Objects container in the AD MA Advanced container configuration manually, even if it dont appear in the selection.

    I remember also that in the past when this feature "recycle bin support" appear in FIM 2010 update 1 a hotfix on the DCs where needed, but dont know if this still is the fact.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Shim Kwan Tuesday, November 18, 2014 8:41 PM
    Thursday, November 13, 2014 9:53 AM

All replies

  • Hi,

    never had this, just a guess:

    you can try to exclude the Deleted Objects container in the AD MA Advanced container configuration manually, even if it dont appear in the selection.

    I remember also that in the past when this feature "recycle bin support" appear in FIM 2010 update 1 a hotfix on the DCs where needed, but dont know if this still is the fact.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Shim Kwan Tuesday, November 18, 2014 8:41 PM
    Thursday, November 13, 2014 9:53 AM
  • I am suspecting its the missing DC hotfix, thank you.
    Tuesday, November 18, 2014 8:41 PM
  • Hello,

    I have exaclty the same pb at 2 other different clients running FIM 2010 R2 SP1 and Windows 2008 R2 AD with Recycle Bin enabled.

    All the hotfix on the DC have been applied.

    The pb is that FIM , on a Delta Import on AD, see the previous deleted AD account as a member of the group  as CN=...\0ADEL:<someGUID>,CN=Deleted Objects,DC...

    Why FIM does not filter it? why FIM treat it as a normal member? For me it's a bug in FIM. Then FIM run in error at export when it try to remove the member CN=...\0ADEL:<someGUID>,CN=Deleted Objects,DC... (cd-error, Element not found)

    Regards,

    Sylvain G.

    Monday, February 2, 2015 4:27 PM
  • 1. is the service account used in AD MA a domain admin, if YES, remove it from domain admins.  This fixes the issue.

    2. Did you select all OU tree in AD, meaning you selected the root AD and everything underneath, if yes, select only OUs where you have users and groups instead.


    Nosh Mernacaj, Identity Management Specialist

    Wednesday, February 4, 2015 12:00 AM
    1. the service account used in AD MA is not domain admin. It's only domain user.
    2. no, i haven't select all OU in AD (i have even excluded explicitly the OU CN=Deleted Objects,DC..)

    Do you think it is normal that , during an import of an AD group, FIM gets the deleted users as placeholder? Why not , but FIM should then be able to delete them during the export of the group, as it does for other placeholder!!

    Regards,

    Sylvain Guyot

    Monday, February 16, 2015 5:40 PM
  • i dont think this is a normal behavior. Do you project AD users to FIM Metaverse?

    Nosh Mernacaj, Identity Management Specialist

    Monday, February 16, 2015 7:37 PM
  • I don't undertand your question: FIM provision users in AD. When i user is deleted in FIM, he is then deleted in AD (put in the trash) with no error. Errors occurs on group export containing the user that have been deleted in FIM and in AD.
    Thursday, February 19, 2015 9:16 AM