While setting up a Role and Account AD Import rule to bring users from 12 global security groups that need access to their SMP, you have noticed that randomly those users are gone from Settings>Security>Account Management>Roles>members tab.
These are not nested security groups nor cross-domain imports. You run this import rule every hour since you need to have these users added in order to grant the permissions on the Console that you need.
The NS logs show that the AD import is occurring:
Entry 1:
[2/3] Building preimport directory map from 12 discovered containers in 'example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})
Entry 2:
Processed 12 previously known memberships, changes: joins=0, leaves=0, known=12, unchanged=12, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf
Entry 3:
Completed importing 0 resources from groups.
When you got it working, the logs looked like this :
Entry 1:
[2/3] Building preimport directory map from 12 discovered containers in 'example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF})
Entry 2:
Processed 12 previously known memberships, changes: joins=0, leaves=0, known=12, unchanged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf
Entry 3-6:
Loaded roles and accounts: total=12 in 00:00:00.2499739, speed=48 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}
Loaded roles and accounts: total=100 in 00:00:00.6874274, speed=145 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}
Loaded roles and accounts: total=100 in 00:00:00.5624411, speed=177 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}
Loaded roles and accounts: total=3 in 00:00:00.0624929, speed=48 i/s, rule={D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}
Entry 7:
Completed importing 215 resources from groups.
ITMS 7.x, 8.x
This issue was caused by a bad domain controller not synching up the right AD membership.
While looking at the NS logs, we were able to notice the following:
1. The NS logs showed that “leaving” members were only happening when this Domain Controller server was used:
4/8/2016 7:25:04 AM |
RoleAccountMembership |
AeXSVC.exe |
174 |
Processed 219 previously known memberships, changes: joins=0, leaves=207, known=219, unchanexampleged=0, rule=d749ca3e-ef02-43e5-b55e-ef0bb8bf8adf |
|||
4/8/2016 7:25:01 AM |
RolesAndAccounts |
AeXSVC.exe |
174 |
[2/3] Building preimport directory map from 12 discovered containers in 'example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}) |
|||
4/8/2016 7:25:01 AM |
LDAPExporter::GetDirectoryDataFromGroups |
AeXSVC.exe |
174 |
Importing directory group members from server: 'example-DC01.example.com' (rule: {D749CA3E-EF02-43E5-B55E-EF0BB8BF8ADF}) |
2. None of the imports from example-DC02 removed members.
To fix this issue, the following was suggested:
1. Change the AD Import Rules rather than importing using the domain name, use the specific domain controller name.
After that, the AD Import was consistent and no unexpected loss of users after imports.
Note:
If the above doesn't work, try unchecking "Use Global Catalog for cross-domain searches" option for the Roles and Accounts AD Import Rule and run the rule one more time.