AD Trusted Recon - Disabling user deletes him in OIM

Similar Messages

• OIM: trusted source reconciliation - user deletion

  Hello,
  I am working on a test scenario with Oracle Identity Manager 9.1.0.1.
  I have succesfully setup trusted source reconciliation with Oracle 10g Database using the "Database Application Tables Release 9.1.0 connector".
  In the DB resides a HR table with users.
  When the data in the HR table is edited and updated everything works fine it get's reconciled to OIM.
  But when a user get's deleted from the Database HR table. The user isn't deleted in OIM
  How is that possbile?
  Your response is greatly appreciated!
  Thank you very much in advance!

  OK i have now managed the problem with the first unparsable error syntax.
  According to here (http://download.oracle.com/docs/cd/E11223_01/doc.910/e11194/create.htm):
  Database Date Format parameter for reconciliation:
  Enter the same value that you enter for the Source Date Format parameter.
  I entered the settings bellow and it works.
  Database Date Format: DD-MMM-YY
  Source Date Format: DD-MMM-YY
  Another problem:+_
  Now i have a problem with the "hire end" date, because if a user is still employed, there is a null value in the Oracle 10g DB.
  And i get Unparsable date: "" error
  Please help.

• IPlanet User Trusted Recon

  I've deployed iPlanet connector in OIM 11g.
  Executed scheduler iPlanet User Target Recon. users are reconciled.
  Bt when I try to execute iPlanet User Trusted Recon, no users are getting reconciled and even no events are generated.
  For the scheduler iPlanet User Trusted Recon, the parameter Trusted Resource Object is Xellerate Users.
  So for Xellerate Users RO, do I need to
  add recon fields,
  add recon action rules,
  map recon fields in process def
  and create recon rule
  Is this the way to follow or is there something else I am missing....

  Did you import "iPlanetXLResourceObject.xml" ?
  Check Connector Guide (2.3.1.6 Configuring Trusted Source Reconciliation), it will ask you to perform some more steps for Trusted Recon.

• OIM 11 - Trusted Recon creates random number of users in "disabled" state

  We are on OIM 11.1.1.5 with LDAP sync enabled to OID 11.
  When creating users from trusted recon, we get a random number of users always created as "disabled". The recon event details shows orchestration:*create* and orchastration:*Enabled*. However Enable orchestration events show compensated or failed. And the user gets created in OIM as "disabled".
  We have turned on the loggings for Trusted recon. But do not see any error for these specific number of users.
  Has anyone seen this kind of behavior?
  Thanks in advance for your answer!
  MBiswal

  I've seen this before if the user is created with a blank password. Run a select * from usr where usr_login='BARBERDW'; and validate that usr_password is not blank. It should be filled in with an encrypted value. If not, you need to look at your process handlers for setting this value.

• How to do Archiving of deleted & disabled users in OIM11g

  Hi All,
  As per the requirement we have to do archive of deleted & disabled users in OIM11g(11.1.1.2) after 75days. Can i know how can i achieve this?
  Regards,
  user7609

  Just to recap:
  Your client requirement is to archive users out of OIM after 75 days. This means in addition to actually disabling and/or deleting them, fully removing any traces of them from the system.
  As Kevin & GP said, OIM is just not built to do this. API alone is not going to accomplish this task... you'll also need to include SQL to actually drop data out of tables.
  All that being said, your post said the reason for this was because of a "license for limited users". Oracle Identity Manager is licensed on an active user basis. You really should talk with your Oracle rep to confirm, but I've never had licensing contracts include deleted/disabled users.

• Need help in OID user Trusted recon

  Hi all,
  I am using oim9.1.0.1,oid 9.0.4.7.
  When i run the OID user trusted recon it is bringing users based on pagesize.The problem is if i set the page size as 100 then it brought 98 users where as i have 30000 users in my OID.When i set the page size to 1000 it brought 998 users and ended the process.what i didn't understand is why it is not looping again and not bringing all my 30000 records.
  regards,
  Rajesh.

  Hi All,
  I ran the OID trusted recon which brought most of my records from OID.Now i got a requirement to rerun the scheduler one more time,but this time it is not picking the records which it already brought. I changed the recontimestamp to 0 but then also it didn't brought all the records.
  Can anyone help me of how i can rerun the trusted recon again which will bring all my records.
  Regards,
  Rajesh

• Disabling User instead of deleting

  I'm using OIM 9031.
  I've created a custom access policy which grants user a resource (OEBS) based on his group membership.
  When user is no longer a member of group, his account is deleted from assigned resource. How do I change the behavior of OIM so that user account in OEBS would be blocked instead of completely deleted?

  Yes, I want the account to be reanabled after the user is a member of a group again. No idea how to change the provisioning workflow...
  Maybe, I should add two new tasks, for enabling/disabling user, but then I must somehow incorporate 'enable user' task into my workflow. It may require 3rd task which checks if user account already exists (e.g. is user already provisioned the resource) and depending on response code, it may launch either create or enable task...

• One fundamental question: When users gets ceated in IDM from trusted recon

  I have a very basic question which I am not able to understand.
  When user accounts gets created in IDM from trusted recon, then the trusted recon resource object is not displayed in resource profile page of the user account. If we want to see whether the user account was created through trusted source or by manually by admin, then where can we see that?
  This information is stored anywhere in IDM DB which will distinguish user accounts created through trusted recon and those created manually in IDM?
  Please let me know if you are not able to understand my question.
  Thanks,
  Kalpana.

  You may be able to use the USR_CREATEBY field in the database. For an admin created user this should contain the USR_KEY value of the admin who created the user. I think for a reconciliation created user it may contain the USR_KEY of the OIMINTERNAL user.

• Few users getting reconciled after running trusted recon

  Hi Experts,
  i ran a trusted recon for a particular Active Directory search base and it reconciled only 6 out of some 50 odd users. I checked if the remaininig users are already present in OIM, which they are not. I checked all the parameters and they look fine. Please kindly guide me on some pressure points to check for errors.
  Thank you for your time.

  Verify data of your users. Check reconciliation events, if they generated for all users. That would give you some idea. Click on re-evaluate button there to relink that specific user. Also make sure xlReconbatchsize system property is set to 500(by default). Also make sure (if this is cusomt code), bulk execute method of your schedule task is implemented properly.
  If nothing is clear, put logs here.
  regards,
  GP

• AD Identity Service: Delete or Disable users that aren't found?

  We currently set users to be "disabled" but then we have to periodically remember to go in there and delete them manually. It also creates issues with duplicate login names. Do you delete your users automatically? I've always been concerned that if something goes wrong with a sync then all my users would be deleted.

  We had the same issue here, so I wrote an external operation that piggybacks on the user sync job and deletes any disabled users older than X amount of days. For instance, in our case users are deleted after 180 days of being disabled (this is a bit extreme). This way you can give yourself a few days before the users are actually deleted, but keep the process automated. There are a couple of options built in, which should be discernible from the source code. Here is the source:
  package com.oracle.services.jobs;
  import com.oracle.services.utility.SessionManager;
  import com.plumtree.openfoundation.util.XPCalendar;
  import com.plumtree.openfoundation.util.XPDateTime;
  import com.plumtree.portaluiinfrastructure.resultwrapper.ASQueryResultWrapper;
  import com.plumtree.server.IPTObjectManager;
  import com.plumtree.server.IPTQueryResult;
  import com.plumtree.server.IPTSession;
  import com.plumtree.server.IPTUser;
  import com.plumtree.server.IPTUserManager;
  import com.plumtree.server.PT_LOCKSTATES;
  import com.plumtree.server.PT_PROPIDS;
  * This class takes care of the automation server job for deleting user accounts
  * which have been disabled for some number of days.
  * @author hross
  public class DeleteDisabledAccountsJob {
       // filter for only deleting agent disabled accounts
       private static String FILTER_AGENT = "This user has been locked by a User Synchronization Job.";
       // filter for deleting all disabled accounts (including those disabled by an
       // admin)
       private static String FILTER_ALL = "";
       public static void main(String[] args) {
            // check arguments
            if ((args.length < 2) || (args.length > 4)) {
                 System.err.println("usage: ");
                 System.err
                           .println("DeleteDisabledAccountsJob <security_token> <num_days>");
                 System.err
                           .println("DeleteDisabledAccountsJob <security_token> <num_days> all");
                 return;
            // get a session from the login token
            IPTSession session = SessionManager.createSession(args[0]);
            // get a number of days
            int numDays = 0;
            try {
                 numDays = Integer.parseInt(args[1]);
            } catch (Exception ex) {
                 System.err.println("Number of days not a valid integer.");
                 return;
            // filter all or just the agent?
            boolean filterAll = ((args.length > 2) && (args[2].equals("all")))
                      || ((args.length > 3) && (args[3].equals("all")));
            boolean test = ((args.length > 2) && (args[2].equals("test")))
                      || ((args.length > 3) && (args[3].equals("test")));
            if (test) {
                 System.err.println("This is a just a test. Nothing will be deleted.");
            if (filterAll) {
                 System.err
                           .println("This job will delete all disabled accounts (even those disabled by an admin).");
            } else {
                 System.err
                           .println("This job will delete only users disabled by an authentication source.");
            // calculate 180 days in the past based on today's date
            XPDateTime cutOff = new XPDateTime();
            XPCalendar xpCalendar = XPCalendar.GetInstance();
            xpCalendar.Add(XPCalendar.HOUR, -(24 * numDays));
            cutOff = xpCalendar.GetTime(); // subtract 180 days from current time
            System.err
                      .println("This job will delete any user accounts disabled before: "
                                + cutOff.toString());
            // query for disabled user accounts
            IPTUserManager userManager = (IPTUserManager) session.GetUsers();
            IPTQueryResult result = userManager.GetLockedAccounts(filterAll ? FILTER_ALL
                      : FILTER_AGENT, 0, -1);
            //ASQueryResultWrapper ptqrUserLock = new ASQueryResultWrapper(result);
            for (int i = 0; i < result.RowCount(); i++) {
                 // get some basic user info
                 int userId = result.ItemAsInt(i, PT_PROPIDS.PT_PROPID_OBJECTID);
                 String name = result.ItemAsString(i, PT_PROPIDS.PT_PROPID_NAME);
                 String login = result.ItemAsString(i, PT_PROPIDS.PT_PROPID_USER_LOGINNAME);
                 XPDateTime dt = result.ItemAsXPDateTime(i, PT_PROPIDS.PT_PROPID_CREATED);
  //               System.err.println("Found account: (" + userId + ") " + login
  //                         + ", " + name);
                 // check to see if we need to delete the user
                 if (dt.Before(cutOff)) {
                      if (!test) { // if test, we just want to see who we would have delted
                           // we have to try to unlock the user b/c of a bug in
                           // automation
                           // server
                           IPTUser user = (IPTUser) ((IPTObjectManager) userManager)
                                     .Open(userId, false);
                           try {
                                user.SetLockedStatus(false);
                                user.Store();
                           } catch (Exception ex) {
                                // we expect this will fail b/c of a bug
                           // make sure the account gets unlocked
                           if (user.GetLockState() == PT_LOCKSTATES.PT_LOCKED)
                                user.UnlockObject();
                           // okay, now we can delete the user
                           ((IPTObjectManager) userManager).Delete(userId);
                      System.err.println("Removed user account: " + userId + " - " + login + " - " + name);
  }

• How to delete disabled users in SCCM 2012

  Currently we disable user accounts in AD and then move them to a different OU which they stay for 6 - 12 months.
  How can I identify those disabled users accounts and delete them form the SCCM console?
  Thank you

  Thanks for the response but there wasn't a process in place so was tasked with a one time cleanup and we don't have Orchestrator in place.
  I ended up doing the following:
  1.Use a powershell script to output all disabled user ID's
  Get-ADUser
  -Filter 'Enabled -eq $false'
  |Select-Object
  samaccountname
  2. Setup a Query on a collection to gather all these users ID's
  select *  from  SMS_R_User where SMS_R_User.UserName in ("User1", "user2")
  3. Delete the users in the collection

• Auto Assign Organization - AD User Trusted Recon

  Hi,
  I am running a AD User trusted recon against a 2008 AD-DC.
  AD Lookup Organizatoin recon doesn't work as it is a bug in OIM 11.1.1.3.0
  I need to logically group the users into organizations in OIM.
  For e.g., IF USER ATTRIBUTE IN AD Company = ABC, on recon the user should be created in OIM under Organization ABC
  IF USER ATTRIBUTE IN AD Company = XYZ, on recon the user should be created in OIM under Organization XYZ
  I have the exhaustive list of organizations being created in OIM.
  Please let me know.
  Thanks,
  KJJ1983
  Edited by: kjj1983 on Jan 8, 2012 2:16 AM

  Not sure what lookup recon bug you are talking about in OIM 11.1.1.3, if you say that organization lookup does not work in 11.1.13 then effectively AD Trusted recon would not work in 11.1.1.3.
  I can understand that since the pre-populate does not work, thus you cannot put any values in the user create HashMap. Thus if that is the case an if you want the organization in OIM should be computed based on user attribute in AD, then you can probably use the transformation class to calculate the same.
  Doc: http://docs.oracle.com/cd/E11223_01/doc.910/e11197/extnd_func.htm#BGBBBCGE
  -Bikash

• Can i able to do DBUM trusted recon without mapping User Login

  Hi All,
  Is is it possible to do dbum trusted reocon without mapping User Login field? , As it going to create automatically using post process event handler.
  I am able to recon when i map userlogin otherwise not. But my need is userlogin shud create automatically. How can i achieve this
  Any suggestions????
  Regards,
  user7609

  This approach will be working fine with first time recon(New user creation) and you don't need to do anything extra.
  But, the problem will ocur in case of update (next time recon of same user). As the userlogin is mapped with the target source and you have changed it using post process event handler. So, the same record it will consider as updatable and it will again try to update the existing user login. Yes, you can, call your event handler on update as well. So that it will update again to previous. This will be worst approach. beacause, It will process the same record always .
  Again I suggest you. Better Go for transformation. which will serve your purpose. In this case you do not need to map user login from trusted source. transformation class will generate user login on pre-insert.

• Avoid certain ou containers during AD User Trusted recon

  All,
  Is there any way to not synchronize users from certain containers (such as cn=users on the AD side) during AD User Trusted Recon.
  thanks in advance.
  Prasad.

  yes, why not try below
  1. update "search base" in trusted recon scheduled task as perticular OU or any individual container
  2. there is a search filter attribute in scheduled task where you can put expression
  regards,
  nayan

• There is an administrator already set on m y Macbook. word.  Do I delete him and set myself as admin or set myself as a user.  There is no password set now.

  There is an administrator already on my Macbook with no password set.  Do I delete him or create myself as a user?

  Who is the administrator?
  If it is root or wheel DO NOT TOUCH, as that is your system.
  Or did you buy this computer 2nd hand?