Active Directory Syncronization - users & groupsHello, I'm working on a WSM 4.0 test environment composed by an Headquarter and a Linked Site. I noticed a problem, that occoured with version 3.6 too.When I add a new Active Directory user to a group that is imported in WSM, or when I change the membership of a user from one group to another one, both imported in WSM, user group membership is not updated in WSM. Even if I delete and re-import the group in WSM, users in WSM does not match those in Active Directory: the only "solution" I found is to delete the group in Active Directory, create a new one with a different name, update the membership and import it again in WSM.AD groups are defined as Global Security groups. I tried setting the primary group on each member user as the group imported in WSM, but nothing has changed. I tried reinstall WSM without changing the default 600 seconds syncronization polling frequency (changing that value will cause WSM not to sync with AD, and this is a known bug), but nothing as changed.
Has anyone reported the same problem, or can anyone help troubleshooting AD sync issues? Any suggestion will be much appreciated.
Im new to WSM, but i had some AD trouble aswell, on 3.6.0 that is. Don't know if this will help, but this is just a couple of things I would check regarding AD integration with WSM.
The system user you created for WSM is member of the local administrators group on the WSM server, and the Domain Admins group on the domain controller?The OS Auth. Service on the WSM server is running under the credentials of this user and not local system?
I also experienced problems with users in WSM not being synced with AD. In my case the problem was that the sync was set to run every 10 minutes (600 seconds). I changed this to 60 seconds for testing purposes, and the groups synced well. Probably just imaptience from on my behalf since I'm on a schedule to get this system working for a customer. Before I did this I tried the same thing as you, I think (?). What I did was delete the group in WSM, and add it from the WSM console again. That worked in my enviornment, didn't have to rename the group in AD...
Hi, and thank you for your quick reply.In fact my structure is a little complex: I integrate WSM with 2 trusted domains (there will be much more domains, that's for isolation purposes), using two different domain admins accounts: the wsm os auth service is configued to run with domain admins and schema admins credentials, and that works fine (computers accounts are staged when thin clients boot up).The only difference is that the user account I use to integrate the second domain (the one where I defined users & groups) is not local administrator on the WSM servers , as they are joined to the other domain! I'll try to elevate privileges for that account on the forest, and see what happens. Thanks a lot!
It worked!Setting local administrator rights on the servers that runs WSM for the user accounts that integrates WSM with AD solved the problem: user membership is updated automatically after syncronization polling period. Thanks a lot!
Glad to hear I could help