Showing results for 
Search instead for 
Did you mean: 

Will LDAP sync delete locally created users in CUCM?

Chad Dunn

I cannot seem to find a straight answer on this subject. The documentation does not clearly spell it out or I'm missing it.


Synchronization Mechanism

The synchronization agreement specifies a time for synchronizing to begin and a period for re-synchronizing that can be specified in hours, days, weeks, or months (with a minimum value of 6 hours). A synchronization agreement can also be set up to run only once at a specific time.

When synchronization is enabled for the first time on a Unified CM publisher server, user accounts that exist in the corporate directory are imported into the Unified CM database. Then either existing Unified CM end-user accounts are activated and data is updated, or a new end-user account is created according to the following process:

1. If end-user accounts already exist in the Unified CM database and a synchronization agreement is configured, all pre-existing accounts that have been synchronized from LDAP previously are marked inactive in Unified CM. The configuration of the synchronization agreement specifies a mapping of an LDAP database attribute to the Unified CM UserID. During the synchronization, accounts from the LDAP database that match an existing Unified CM account cause that Unified CM account to be marked active again.

2. After the synchronization is completed, any LDAP synchronized accounts that were not set to active are permanently deleted from Unified CM when the garbage collection process runs. Garbage collection is a process that runs automatically at the fixed time of 3:15 AM, and it is not configurable.

3. Subsequently when changes are made in the corporate directory, the synchronization from Microsoft Active Directory occurs as a full re-synchronization at the next scheduled synchronization period. On the other hand, the Sun ONE directory products perform an incremental synchronization triggered by a change in the directory. The following sections present examples of each of these two scenarios.

4 Replies 4

Roger Kallberg
VIP Expert VIP Expert
VIP Expert

Any locally created user(s) will at next sync be converted to a LDAP synced user if the account information is a match. As such it would be removed from CUCM if it’s deleted from the directory. A local user that doesn’t meet this would not be removed. Although your question is somewhat backwards as user information has to be a match for the directory information to overwrite the local information, if there is no match it’s never even an issue from the start.

Response Signature

So, just to be clear. These users which have been created locally and simply end users will not be deleted from the CallManager if I do LDAP sync with AD even though these users are not AD users?



As long as the user account information is not the same as for a user in AD nothing will happen with the local users.

Response Signature

Jaime Valencia
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Any current release can have BOTH, LDAP and local users at the same time, only older releases were limited to ALL LDAP or ALL local.

Any local user that matches the userID field when LDAP is configured, will turn into an LDAP active user.

If there is no match in LDAP, it will remain a local user.


Enabling LDAP sync DOES NOT delete any user.



if this helps, please rate
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers