Symantec IGA

Hi,

There is a report option in etautil for this purpose but it's more designed per user. You can try it with * but the output may not be easy to parse. The command is:

etautil -u etaadmin -p apassword report 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser GlobalUserName=* list eTSyncUsers eTSyncDelete >report.txt

The output via ldapsearch can be easier, the equivalent command is:

ldapsearch -x -H ldap://impshostname:20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -b "eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" (objectClass=eTGlobalUser) eTSyncUsers eTSyncDelete

You can adapt the filter to target a specific set of users and also redirect the output to a file.

For every out of sync user, the output should be like:

# J L, Aston Martin, cmdemoadd, ActiveDirectory, im, eta

dn: eTADSAccountName=J L,eTADSOrgUnitName=Aston Martin,eTADSDirectoryName=cmde

 moadd,eTNamespaceName=ActiveDirectory,dc=im,dc=eta

eTADSAccountName: J L

eTADSsAMAccountName: user03

eTPolicyDN: eTADSPolicyName=AT_AD01,eTADSPolicyContainerName=Active Directory

 Policies,eTNamespaceName=CommonObjects,dc=im

eTSyncUserDN: eTGlobalUserName=user03,eTGlobalUserContainerName=Global Users,e

 TNamespaceName=CommonObjects,dc=im

eTSyncUsers: 1

eTSyncDetail: Missing account

Missing account means that either the account doesn't exist or it exists but the AT is missing. Extra account can be also reported meaning that the account exists while it shouldn't or the account has an AT that is not prescribed by any assigned role(s)

Hope that helps

Hi,

There is a report option in etautil for this purpose but it's more designed per user. You can try it with * but the output may not be easy to parse. The command is:

etautil -u etaadmin -p apassword report 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser GlobalUserName=* list eTSyncUsers eTSyncDelete >report.txt

The output via ldapsearch can be easier, the equivalent command is:

ldapsearch -x -H ldap://impshostname:20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -b "eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" (objectClass=eTGlobalUser) eTSyncUsers eTSyncDelete

You can adapt the filter to target a specific set of users and also redirect the output to a file.

For every out of sync user, the output should be like:

# J L, Aston Martin, cmdemoadd, ActiveDirectory, im, eta

dn: eTADSAccountName=J L,eTADSOrgUnitName=Aston Martin,eTADSDirectoryName=cmde

 moadd,eTNamespaceName=ActiveDirectory,dc=im,dc=eta

eTADSAccountName: J L

eTADSsAMAccountName: user03

eTPolicyDN: eTADSPolicyName=AT_AD01,eTADSPolicyContainerName=Active Directory

 Policies,eTNamespaceName=CommonObjects,dc=im

eTSyncUserDN: eTGlobalUserName=user03,eTGlobalUserContainerName=Global Users,e

 TNamespaceName=CommonObjects,dc=im

eTSyncUsers: 1

eTSyncDetail: Missing account

Missing account means that either the account doesn't exist or it exists but the AT is missing. Extra account can be also reported meaning that the account exists while it shouldn't or the account has an AT that is not prescribed by any assigned role(s)

Hope that helps