TMS Users AD sync

Michel Tosu · ‎07-24-2013

Hi,

Recently a customer asked me about their AD sync in the TMS users (not TMSPE).

I hadn't really looked into it before and haven't been doing any fresh TMS deployments so thought the TMS users should sync as they do in TMSPE. I have now found out that it doesn't actually import users untill they try to login and that it doesn't delete users when they are deleted from the AD.

My customer is concerned about him finding a lot of old users in the TMS that doesn't work for them anymore, his question were if there is any way do do the cleanup easier than cross-checking the TMS user list with theid AD and deleting all users by hand?

I would be happy to tell him there is a way but i can't think of any?

Michel Tosu · ‎07-25-2013

That is very clever, i think i absolutely will use that function as a workaround!

I have never use the group import before and i just want to know if it's possible to revert the setting.

If i turn the setting off again after i have imported the groups. Would the TMS remove the groups it have imported?

I know that there is no security risk with the accounts being there since noone can use them to login because they're not in the AD but my customer is of the kind that is really "difficult to handle" if you cach my drift

Magnus Ohm · ‎07-25-2013

Hi

TMS does not remove the groups you have already added but it will prevent you from update the groups from AD and add new. But new users that logs in that are part of the AD group already added will become member of this group still after you set "Allow AD Groups: No".

I have tested this and the behavior is like I explained.

Paulo Souza · ‎07-25-2013

Hi Magnus,

I was reading TMS help pages and I have found the following statement:

As you marked my answer as Cisco endorsed, I suppose it is correct. So I think that the documentation is wrong or there is some kind of limitation in TMS.

The above statement can be found in TMS help pages in the version 13.1.2 and 14.2.2.

Can you confirm if it is a bug or a documentation error?

Regards

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Magnus Ohm · ‎07-25-2013

Hi Paulo. It is correct that tms should remove the ad users that are deleted in ad upon synch. I must have misread your answer in the start there since all the rest is correct and is a good answer. So no it is not a documentation bug. One thing is that he can have set the synch schedule to never but still login with ad users. In this case the users does not dissappear.

Sorry for the confusion.

/Magnus

Sent from Cisco Technical Support iPhone App

Michel Tosu · ‎07-25-2013

Okay so if that pice of information is correct my TMS is not working as it should.

I mean i synched the users several times.

I just logged in to the server and clicked on one of the users that are not inte the AD and noticed that i couldn't click "update from ad" on that user. The username is domain\username so i't originally from the AD so it seems like the TMS is aware of the user not being in the AD anymore and still not deleting him.

Magnus Ohm · ‎07-25-2013

Hi Michel

What version of TMS are you running? Can you see the "update from AD" button on the other users that are in AD?

If you go to the activity status after you did a "Synchronize all users" does the event succeed?

Is the customer operating with multiple domains? With that I mean: is the customer loggin into TMS with users from domain1\username and domain2\username?

/Magnus

Michel Tosu · ‎07-26-2013

Hi Magnus,

Yes i can see the button on other users and i also have tha button to syncronice when i'm browsing the user list. Yes the event gets succesfull when i choose to press the button syncronise all users. It's also successfull when i just synchronise one user. The customer is not operating with multiple domains.

Magnus Ohm · ‎07-26-2013

What is the version of the clients TMS?

/Magnus

Michel Tosu · ‎07-26-2013

Sorry, it's running 13.2.2

Magnus Ohm · ‎07-26-2013

There is a AD lookup bug on TMS 13.2.2 which was fixed in TMS 14.1.

CSCud10033 - AD lookup broken if GC server or AD forest DNS name setting is empty

TMS basically fails to lookup existing users if that field is empty, but in your case it is not? As your TMS is actually looking up the other users?

/Magnus

Michel Tosu · ‎07-26-2013

It's filled in with what i believe is correct but i'm not really sure. The entry is the DNS A-record name for the AD server.

At least i know that i could log in with a user not existing in the tms yesterday with theese settings.

I actually had the TMS on version 14.2.2 for a week and it disn't help Yesterday i had to rollback to 13.2.2 since the customer wanted the old Scheduler back so i have been able to try theese settings on 14.2.2 as well and and there were no difference.

Magnus Ohm · ‎07-26-2013

Hi Michel

Something is not working correctly then and the next step would be to gather more information and logs etc. I recommend you to open a TAC case from here to get an engineer to look closer at the issue. When you have the root cause it would be nice if you could share it with us

/Magnus

Paulo Souza · ‎07-26-2013

Hi Magnus,

Is it possible to remove "Cisco endorsed" from my answer? My answer is not correct, so I kindly ask you to remove it if you can. =(

I will also delete the answer after you remove, just to avoid another users to misunderstand TMS auto sync functionality. =)

Regards

Paulo Souza

Please rate replies and mark question as "answered" if applicable.

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Magnus Ohm · ‎07-26-2013

Not possible