Click HERE to see how Saviynt Intelligence is transforming the industry. |
10/30/2024 06:13 AM - edited 10/30/2024 06:14 AM
We have multiple Active Directory connections due to differing account naming rules. This was initially set up by Saviynt Professional Services.
For one set of our endpoints we are applying an OBJECTFILTER like this:
(&(objectCategory=person)(objectClass=user)(sAMAccountName=*)(!(company-SharedServices-EmployeeID=*))(!(company-SharedServices-EmployeeType=Admin*
))((EmployeeNumber=*)))
Our STATUS_THRESHOLD_CONFIG is set as follows:
{
"statusAndThresholdConfig":{
"statusColumn":"customproperty24",
"accountThresholdValue": 20000,
"activeStatus":[
"512",
"544",
"2080",
"66048",
"640",
"4194816",
"66080",
"524800",
"590336"
],
"deleteLinks": false,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
}
}
When we execute a full account import we see Saviynt report success and updates 5,357 accounts. But we see many accounts in the endpoint which should be excluded by the OBJECTFILTER - they are being updated from AD because we can see properties changing in Saviynt when the import runs.
When executing the exact same LDAP filter in PowerShell we get only 2,332 users (3k fewer):
get-aduser -server global.tektronix.net -LDAPFilter "(&(objectCategory=person)(objectClass=user)(sAMAccountName=*)(!(company-SharedServices-EmployeeID=*))(!(company-SharedServices-EmployeeType=Admin*))((EmployeeNumber=*)))" | Measure-Object | select -expandproperty count
2332
I would expect any accounts not matching the OBJECTFILTER to be marked as suspended but this is not happening. We have bumped up the threshold to 20,000 but that has had no effect.
Can anybody see what we are missing to drop these non-matching accounts from this endpoint?
10/30/2024 06:20 AM
10/30/2024 06:30 AM
In the connection ACCOUNT_ATTRIBUTE JSON we map as follows:
CUSTOMPROPERTY24::userAccountControl#String,
UserAccountControl for these extra accounts in AD are mostly "512" (which means "active"). But they don't match the OBJECTFILTER so I was expecting them to be filtered out and marked as suspended.
10/30/2024 06:45 AM
10/30/2024 09:31 AM
Yes - the current Job ID on the unwanted accounts is the same Job Id as the last Account import. There are later Group imports.
10/30/2024 10:38 AM
@BarCar are you also importing groups from the same connection?
And are those users part of the groups?
10/30/2024 10:40 AM - edited 10/30/2024 10:42 AM
Yes, we are and they are - we have 3 instances of AD (one per Naming Rule) and groups are common across all instances and users from any instance can be in any group.
10/30/2024 10:50 AM
10/30/2024 10:52 AM
Ok - so is there a way to prevent the Group (Access) import from creating accounts?
10/30/2024 10:52 AM
No if those are part of entitlement the those will be pulled
10/30/2024 10:55 AM
Sigh. So the point of the OBJECTFILTER is what exactly?
10/30/2024 10:57 AM
Which accounts to be pulled. You can try advanced Configuration under group import mapping
10/30/2024 11:10 AM
@BarCar no it is not possible to exclude those.
10/30/2024 11:12 AM
Yet another awesome product design. 🤡
10/30/2024 11:55 AM
@BarCar create a idea tickets.. to be considered in future.