so u mean it's either local users are created before AD is added into the system OR that could be a mistake in the AD side or the AD configuration with what field in AD CUCM will use for the user id.

Right ?

The local users were probably already in CUCM before you added the AD integration.

The reason for the AD user id being the extension is either the CUCM--AD mapping is incorrect, AD is incorrect, or CUCM defaulted to extension since there is already a user (local) with the same user id.

Please rate useful posts and marks answers as correct if applicable.

ok, I see what r u saying. so when you add user in AD  it will not create that local user, right?

so either they were created earlier or somebody still adding local users together with AD , which is non-sense .... 

You got it. The local users were added by a human somehow, someway, sometime past or present.

Please rate useful posts and marks answers as correct if applicable.

I see now why we have duplicate endusers, in order to user will be able to login with Extesnion mobility by using their phone number. AD  import will bring usernames and password not phone number, so who did installation here they created second user acccounts with ext# as userid.  

I am curious what if I change LDAP Attribute for User ID to 'telephone number from "samaccountname"   and then I should be able delete duplicate endusers  and users should be able to login as before with ext and pin code , right? 

Do you want the user id to be the ext? If you do but only because it will be easier to type in instead of say first.last then I would look into an application called EM-SSO by VoIP Integration. Its a third party app that integrates with your AD environment and CUCM and will automatically log a user into a phone when they log into the computer.

Please rate useful posts and marks answers as correct if applicable.