How AD Sync Works in Decisions?

Unknown

How AD Sync Works in Decisions?

Unknown

Hi,

I have a couple of questions related to AD Sync in Decisions. Can you provide answers to below questions?

Thanks

1. Which email attribute on AD account are we using to set the local Decisions Acct email?

2. Are we doing a compare when syncing an existing account from AD or just updating everything on the local account object?

3. Do we have logic in place to remove Domain and prefix from the user identifier when syncing accts from AD?

4. What AD attribute is the user_identifier comparing to when sync is running?

5. What do we do to user identifier of local account when a name change occurs that modifies the user identifier field in the AD server?

Unknown

Hi,

Please find answers to your AD sync related questions below.

Regards,

1. Which email attribute on AD account are we using to set the local Decisions Acct email?

   • If the AD account doesnt have an email address we use the following format "SamAccountName@DefaultEmailDomain". If the AD account has an email address, we use it directly.

2. Are we doing a compare when syncing an existing account from AD or just updating everything on the local account object?

   • If the account is already in Decisions, we compare the last USN field of the Decisions accounts with the last USN field of the AD account. If theyre not equal, we update the account. If the account was deleted in Decisions, we restore it. We then update the following fields (s[color=rgb(34, 34, 34)][font=Arial, Helvetica, sans-serif]chema values represented in () and N/A means its not a field that maps to the schema)[/font][/color]:

     • Email Address - Same rules above apply (mail)
     • Last USN = USN Changed (USNChanged)
     • Distinguished Name = Distinguished Name (distinguishedName)
     • Entity Folder ID = Server Folder ID (N/A)
     • Entity Name = SAM Account Name (sAMAccountName)
     • Is Active = Is Active (N/A)

3. Do we have logic in place to remove Domain and prefix from the user identifier when syncing accts from AD?

   • We create the user as follows "ServerLoginPrefix SAM Account Name" - there is no space or chars between the two - / was originally there but it was removed.

4. What AD attribute is the user_identifier comparing to when sync is running?

   • We search the Decisions DB for that identifier in the format described above.

5. What do we do to user identifier of local account when a name change occurs that modifies the user identifier field in the AD server?

   • This would be considered a new account.