LDAP Sync with Active Directory

Document ID : KB000110279
Last Modified Date : 10/08/2018
Show Technical Document Details
Question:
We have an issue on adding new users from Active Directory (referred here as AD)  into CA PPM using the "LDAP - Synchronize New and Changed Users"  job.
When this user already exists in AD and is added in a later stage to the PPM User group in AD, this user is not selected by the job and is not created in CA PPM.
What can be the reason?
 
Answer:
On executing the "LDAP - Synchronize New and Changed Users" job, new and changed users are searched for as for the LDAP parameters defined in CSA - Security.
The user will be picked up by the job based on the "WhenChanged" value (set in the "Modify Time Stamp" parameter in CSA - Security) of the user in AD.
When the  user's "WhenChanged" date is earlier than the job's last synchronization date, the user will be considered as new or changed.

However, when a user already exists in AD and is added in a later stage to the AD PPM User Group, the "WhenChanged" attribute of the user does not change, only the "WhenChanged" attribute of the group changes.
This is working as designed in AD.

This means that when executing the "LDAP - Synchronize New and Changed Users"  job, the user is not recognized as a new user or changed user and is not inserted in CA PPM.

A workaround could be to additionally change another user attribute, for example the password, so that the user's "WhenChanged" date will be updated and the user will be inserted correctly by the job in CA PPM.