Directory Extraction After Users Are Moved in Active Directory

The information in this article applies to product: e-Work 6.x

Issue

  • When using Directory Services to synchronize users from Active Directory, and changes have been made to the directory (e.g. shifting users between departments), users that have been moved get a new username (user\_1) instead of the same username with the new department.

Discussion

  • This is the result of the way the extraction software uniquely identifies users, which is based on the Distinguished Name built from the directory location of each user entry. When the location changes, so does the Distinguished Name. Therefore the extraction sees the user entry as a different entity and generates a unique e-Work user name using the duplicate name algorithm. This issue is described in the product documentation.

Resolution

  • The eUserName field in the eUser table is used as the key to roles, alerts, and attributes in the database. Thus a user can be deleted and re-created but still retain the same identity with no loss of roles, alerts, or attributes provided the eUserName field contains exactly the same value. Therefore if a directory user entry is moved, the e-Work identity can be maintained by deleting the eUser table row for that user (don't delete with Users & Roles because this will remove the other information that we are trying to save), then performing an extraction that will update the eUser table and replace the deleted user row. The user's password will need to be reset in addition to the email address and 'deliver alerts by email' unless they are configured to be extracted from the directory.

    There is one potential problem that only arises if you already have two or more users with identical names (e.g. the eUser table contains and \_1). If the order in which they are extracted from the directory changes because a user is moved to a different container, then the user IDs will appear to swap over. There is a workaround for this: The eUser table will have to be manually edited so the user names match the previous identities. This should only be necessary after the first extraction following a user move.

Tagged: