You are viewing limited content. For full access, please sign in.

Question

Question

LFDS Synchronization for Users Returning From Disabled.

Directory Server
Updated June 7, 2022
asked on June 7, 2022
So here a weird thing, I was wondering if i might get some input on. I have a client that have a lot of users in LFDS. Like 20000 licenses. Obviously this is all managed by active directory rules. They are running into an issue where their synchronizations are failing. The reason they are failing is due to a unique key error. The sync is trying to add users to LFDS that already exist in LFDS.
 
They have the settings to remove users that are removed from AD but.... their policy is not to remove but disable users for ~4 years before deleting because these employees frequently leave and come back and this is immutable.
 
When they disable the users the users/remove them from their respective group, licenses are revoked which is great but when they come back they cause the sync to fail and they only way to correct it is to manually delete them from LFDS and rerun the sync. If this was one or two people occasionally this wouldn't be an issue but with this many users and this being their big hiring time. It is untenable to manually figure out the hundred or so users who are causing the issue in the event viewer and then manually delete them all from LFDS.

Anyone out there who has figured out a solution to this? 
1 0

Replies

replied on June 7, 2022 Show version history

What version of LFDS are you running? Are you sure the users are using the same account re-enabled when they return?

When you disable/enable an account, it should have the same SID so LFDS should recognize it as the same account, but if you create a new account with the same login, they won't be matched.

We used to disable AD users who were on extended leave, and we disable/retain accounts for terminated employees for at least 30 days.

As a result, many of our users have been disabled/enabled over the years without any issues.

The only time we've had a problem is when a user comes back with a new account that has the same login ID as their old account (i.e., same username but a new SID) while their old one is still listed in Active Directory.

One unique key LFDS uses is the login, so you can't have 2 domain\jdoe users in the system, but if the domain\jdoe account has the same SID as the original record, it should know they are the same.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...