You are viewing limited content. For full access, please sign in.

Question

Question

AD sync - disable unlicensed users

Directory Server Version 10
Updated June 23, 2021
asked on June 22, 2021

This one's a little odd and may be outside the scope of LFDS, but figure it's worth asking. We're using AD synchronization to license users. I've noticed that sometimes after they leave the company their account in LFDS gets disabled, while other times it remains enabled but unlicensed. I would like all of them to be disabled.

So what's the difference? The user's accounts do get disabled in AD, but upon investigation it seems that those that get disabled within LFDS are still members of the groups associated with the synchronization rules. The accounts that remain enabled, albeit unlicensed, have been removed from the relevant licensing group (or more accurately, they got removed from all their AD groups as part of the offboarding procedure).

My question, then, is if there's a way to ensure these users that are disabled but removed from their groups also get disabled in LFDS? My guess is that since they're no longer part of the syncing group their off LFDS' radar and there won't be much it can do, but figure it's worth asking.

FWIW, this is with LFDS 10.4.5

0 0

Answer

APPROVED ANSWER
replied on June 23, 2021

Hi Pieter,

Unfortunately there isn't a whole lot that LFDS can do about this because the disabled status is a property of a user that LFDS won't update unless it reads the user during AD group sync.

If the user is removed from the group before being disabled, LFDS's AD group sync will

  1. notice that it can't find the user in the group being licensed
  2. check the AD tombstones to see if the user was deleted, and notice that it was not
  3. remove the license from the user in LFDS but leave them enabled
1 0
replied on June 23, 2021

I was afraid of that. Thank you for the confirmation.

0 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...