You are viewing limited content. For full access, please sign in.

Question

Question

AD Sync - Process and Timelines

asked on April 5, 2023

I have Laserfiche setup to sync with AD, and it is working.  I know how to force a sync.  

I put my users in AD groups, and make the groups trusted for the repositories, so I don't have to give Admin access to the Repository, and changes can just be made in AD.  This works well.

When a new user is added, they are added fairly quickly.  Synchronization runs every hour, so if I wait an hour, the new user will be added with the correct permissions.

When an existing user is changed, I'm not sure when the change happens.  Or if it does.  For example, today I wanted to downgrade an account to a read-only license and lower permissions to test an issue a user was reporting.  I made that change three hours ago.  I've forced sync with the AD multiple times.  I've confirmed the user is in the correct AD groups to get the lower permissions, and I've confirmed the user's permissions have been replicated to all the ADs in our domain.  

 

Will the existing account ever receive the lower permissions?  If it won't, that is problematic, because this something my security strategy is based on - the ability to move users from higher to lower levels of security fairly simply, and vice versa.

 

 

0 0

Answer

APPROVED ANSWER
replied on April 5, 2023

There is no difference in how AD sync behaves for different license types.

It sounds like this user belongs to both the more privileged group and the lower privileged group?

The licensing concern (read only license) and repository security (e.g., access to a folder or ability to delete entries) are two separate portions to address so that the user has the access level you expect.

For the licensing, there are two main possibilities:

  1. Your system does not have enough licenses to fulfill the current set of rules. When that is the case, no changes will be made to any user licenses. There should be errors in the Directory Server administration site and in the event viewer, and you can also view your existing allocations to see how many licenses you have remaining
  2. Your group synchronization rule order does not match your desired behavior

 

For the second case, you may need to re-order your rules for synchronization. The rules are evaluated in order, top to bottom, so if the group rule that grants this user a full license comes after the group rule that grants a read-only license, the user will still end up with a full license. The highest priority license rule should be at the bottom of the list.

 

The help files have an example:

For each registered domain controller, Directory Server processes synchronization rules sequentially from top to bottom in the order that the rules are listed on the Directory Server administration site. For example:

  1. You have two Windows groups: QA and Engineering.
  2. The QA group contains 1 user: John.
  3. The Engineering group contains 2 users: Jane and John (same John as the one in the QA group).
  4. You add a synchronization rule that assigns full named user licenses to the QA group.
  5. you add a second synchronization rule below the rule in step 4 that assigns retrieval named user licenses to the Engineering group.
  6. Because the rule added in step 5 is the last rule that Directory Server will process, both Jane and John will end up with retrieval named user licens

 

Note: for advanced troubleshooting, you can use the Claims Test page after logging in to verify the group membership for the user.

 

For the repository security, we would need more information to help troubleshoot. There are some good resources on the help page for effective permissions: https://go.laserfiche.com/support/webhelp/Laserfiche/10/en-us/administration/#../Subsystems/LFAdmin/Content/Effective_Permissions.htm

1 0

Replies

replied on April 6, 2023

Yep, this was the problem.  When I went through the list of groups, I found the one that I was trying to downgrade was in a subgroup that was a member of the higher level permissions group.

 

Thanks for the suggestion!

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.