Symantec IGA

Expand all | Collapse all

CA IDM 12.6.7 some AD Users does not create new global users

Jump to Best Answer
  • 1.  CA IDM 12.6.7 some AD Users does not create new global users

    Posted 06-27-2017 11:58 PM

    Hi experts,

     

    I faced an issue in our prod environment, where an AD User that was created from ADUC console is not being read with the explore/correlate function. Other users created later are found with the explore, but this one still does not appear as a global user.

     

    I tried creating users in my own lab environment, and finally the same happened here. I create users from ADUC console, only with first name, last name, username/fqdn and password (all users are named "usuario uno", "usuario dos", etc with usernames user1, user2, etc). After each user created run explore/correlation from Provisioning Manager and user appeared as global users on the console. But for some of the users I created, it did not appeared as global users. Following explore/correlation continues bringing me the new users, but this particular one is never shown.

     

    Does this happened to someone? Or somebody does some way to debug this issue?

     

    Thanks a lot!



  • 2.  Re: CA IDM 12.6.7 some AD Users does not create new global users

    Posted 11-13-2017 09:56 AM

    Hi all. Sorry for delaying my answer, I found solution today. Some notify was stuck on the notify server dsa. I followed this post: How to clear Provisioning Server notification queue (inbound synchronization) 

     

    As I had a lot of notify objects queued, I erase entire DB with 

     

    dxemptydb < HOSTNAME-impd-notify>

     

    Run another correlation and users where created ok. Thanks all!



  • 3.  Re: CA IDM 12.6.7 some AD Users does not create new global users

    Posted 06-28-2017 12:01 AM

    I ve found that the user that does not appears as global is on the accounts container of the endpoint tree in the provisioning directory. How can I bring this user to be a global user? Reverse sync?



  • 4.  Re: CA IDM 12.6.7 some AD Users does not create new global users

    Posted 10-26-2017 07:41 AM

    docldap KennyV

     

    Hi,

    I have exactly the same problem on IDM 12.6.8. Did you manage to resolve this? Please share.

    Thanks,

    M Mahto



  • 5.  Re: CA IDM 12.6.7 some AD Users does not create new global users
    Best Answer

    Posted 06-28-2017 11:08 AM

    When doing the Correlate there is a choice between "Correlate With Existing" of "Create Users as Needed". If the first was selected and there was no matching global user the account is correlated to the [default user]. If the second was selected then a new global user would be created if there was not matching global user for the account to be correlated with. I think you would best be served by opening a support case and sharing the logs in the case so it can be reviewed further.



  • 6.  Re: CA IDM 12.6.7 some AD Users does not create new global users

    Posted 10-26-2017 08:16 AM

    Not sure what that cause/solution was for the original poster but things for you to check would be:

    - that you are running "Create New As Needed" and not "Correlate With Existing"

    - that the account is not already correlated to a user

    - that the etanotify log on the Provisioning Server shows successful communications sent to proper IM host and IME

    - that the IM VST shows the Provisioning Create User tasks and if they were Completed, Failed, or Audited

     

    * make sure the notify queue is not backed up and that there are no errors related to missing required attributes

     

    If further assistance is needed you may be best served by opening a support case.



  • 7.  Re: CA IDM 12.6.7 some AD Users does not create new global users

    Posted 10-30-2017 03:17 AM

    KennyV

    I managed to resolve this issue. Some user accounts were correlated to the default user. By listing account of default user, you can see which user accounts are linked to this user. I right clicked on the user account and delinked it with the  default user. Then ran EnC for new global users to be created. This resolved the issue.