Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

duplicate accounts imported for same user same endpoint

fouriefb
Regular Contributor
Regular Contributor

Hi Experts,

We are today suddenly seeing duplicate accounts show up under accounts from AD (same endpoint). Account Attribute has been the same since 4 months ago.

What could be the cause of this and how do we get rid of them?

Thanks in advance

10 REPLIES 10

sk
All-Star
All-Star

Do you see all account attributes are same b/w two accounts?. Check all columns in accounts table and make sure that they are exact same especially accountID column. 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

fouriefb
Regular Contributor
Regular Contributor

Hi sk,

Checked a pair of the duplicate accounts. One has account ID and the other blank account ID.

Any suggestion on how I can get rid of them only to show one active account for each user as per AD?

 

fouriefb
Regular Contributor
Regular Contributor

Just noticed customer has renamed an OU from and to & in AD, which means my dn would have changed and I reconcile on DN. 🙄 How can I resolve

ACCOUNT_ATTRIBUTE

[status::userAccountControl#String,
CUSTOMPROPERTY24::employeeID#String,
CUSTOMPROPERTY1::CN#String,
CUSTOMPROPERTY2::name#String,
LASTLOGONDATE::lastLogon#millisec,
DISPLAYNAME::displayName#String,
CUSTOMPROPERTY25::company#String,
CUSTOMPROPERTY3::distinguishedName#String,
CUSTOMPROPERTY4::homeDirectory#String,
LASTPASSWORDCHANGE::pwdLastSet#millisec,
CUSTOMPROPERTY5::co#String,
CUSTOMPROPERTY6::cn#String,
CUSTOMPROPERTY7::givenName#String,
CUSTOMPROPERTY8::title#String,
CUSTOMPROPERTY9::telephoneNumber#String,
CUSTOMPROPERTY10::c#String,
DESCRIPTION::description#String,
CUSTOMPROPERTY11::uSNCreated#String,
VALIDTHROUGH::accountExpires#millisec,
CUSTOMPROPERTY13::physicalDeliveryOfficeName#String,
UPDATEDATE::whenChanged#date,
CUSTOMPROPERTY14::extensionAttribute1#String,
CUSTOMPROPERTY15::extensionAttribute2#String,
CUSTOMPROPERTY16::streetAddress#String,
CUSTOMPROPERTY17::mailNickname#String,
CUSTOMPROPERTY18::department#String,
CUSTOMPROPERTY19::countryCode#String,
NAME::sAMAccountName#String,
CUSTOMPROPERTY20::userPrincipalName#String,
CUSTOMPROPERTY21::manager#String,
CUSTOMPROPERTY22::homePhone#String,
CUSTOMPROPERTY23::mobile#String,
CREATED_ON::whenCreated#date,
ACCOUNTCLASS::objectClass#String,
customproperty26::distinguishedName#String,
RECONCILATION_FIELD::customproperty26,
ACCOUNTID::distinguishedName#String,
RECONCILATION_FIELD::ACCOUNTID]

okay that explains. If I understand correctly accounts are moved from one OU example xxx to another OU example yyy right? In saviynt now you are seeing two accounts but accounts in ou=xxx are suspended state and accounts in ou=yyy  having valid state (Active)

Is that correct understanding?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

fouriefb
Regular Contributor
Regular Contributor

So they have actually not moved at all. The OU was renamed from example "tech and digital" to "tech & digital" Both are showing active in Saviynt right now

 

You should change the reconfield to objectGUID in latest version. and map accountid with objectguid This should solve your problem. But thing is you might get new entry for all accounts with accountid as objectguid and old entries should get suspended.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Sivagami
Valued Contributor
Valued Contributor

@sk - We needn't change the accountid mapping to objectguid which will create new entry for all accounts. Instead below steps can be followed as suggested in https://forums.saviynt.com/t5/identity-governance/active-directory-account-status-not-being-updated-... 

The way to implement ObjectGUID as recon attribute would be in 2 steps:

1. Map ObjectGuid to a customproperty and import it onto Saviynt in the first import.

2. Make the custom property as the Recon attribute and then run the import again.

-Siva

fouriefb
Regular Contributor
Regular Contributor

Thanks Team for all the suggestions.

I have used Username as reconcile field just to get rid of the duplicates and after changed to objectGUID for recon

All is sorted and only active user is showing when users select accounts to add to groups etc. (Setting under global config thought to not display inactive accounts in ARS)

@Sivagami : Correct, But I was just suggesting to change mapping since saviynt suggesting to map accountID with objectGUID from v2021.0.4 version

https://docs.saviyntcloud.com/bundle/AD-v2021x/page/Content/Configuring-the-Integration-for-Importin...

 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Sivagami
Valued Contributor
Valued Contributor

Since you are using DN as the recon attribute and the DN can change once the account is moved / OU is renamed, it would lead to discrepancy. Saviynt recommends to use ObjectGUID as recon attribute. Refer this forums Article for clarity.

https://forums.saviynt.com/t5/identity-governance/active-directory-account-status-not-being-updated-... 

-Siva