Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Compliance Accelerator and AD Integration

Created: 21 Apr 2011 • Updated: 12 Oct 2012 | 5 comments
This issue has been solved. See solution.

All -

When our users leave the company, we put the users in AD into a "Disabled OU" and delete account after 30 days of being in "Disabled OU". Unfortunately when the AD synchronization occurs from CA, the "End Date" does not get populated nor does the user become "Inactive".

When I goto "Configuration/Directory Mapping", End Date is not mapping to any attribute in AD.

Can someone advise on what the "End Date" mapping has to be to AD from CA? Is this "Expiration date" in AD? We do not use any "End Date" in AD as we just "Disable" the user and delete in 30 days.

 

Thanks for any advise.

 

Upanesh

Comments 5 CommentsJump to latest comment

TonySterling's picture

You should be able to choose what you map that to.

From the Admin guide:

You can also set up mappings for the following optional properties: Start Date, End Date, and Employee ID. The Employee ID property is mandatory if you want to import department and employee data by using XML files.

You must have the View System Configuration permission to view the existing mappings, and the Modify System Configuration permission to change them. By default, users with the role of Compliance System Admin have both permissions.

To view and modify an existing directory mapping

1    Click the Configuration tab in the Compliance Accelerator client, and then
click the Directory Mappings tab.
2    In the left pane, click the employee property whose mapping you want to modify.

3    In the right pane, choose whether to synchronize the employee property with Active Directory, Domino directory, or both.
4    Type the names of the Active Directory and Domino directory attributes with which to synchronize the employee property.
5    If you want to synchronize with both Active Directory and Domino directory, nominate one of them as the preferred source.
6    Click Save.

7    Restart the Enterprise Vault Accelerator Manager service on the Compliance
Accelerator server to put the new mapping or changed mapping into effect.

evinfo's picture

Tony - thanks. Yep I kind of know the above part but just don't know how to map the "End Date" (which attribute do others use from AD?). Other example is that I do not have "Start Date" and "EmployeeID" mapped either but CA default that - so that's strange...

 

evinfo's picture

Has anyone used the "End Date" from AD to update CA? We disable the user and there is not "End Date" set in AD and therefore do not know which attribute from AD to use to update CA. We do not have "Expiration date" in AD as that is set to "Never Expire" by default.

 

Any help would be appreciated.

mashles's picture

I think the best way to do it would be to have a seperate VBscript that runs on a regular basis that sets the accountExpires attribute to the same as the whenChanged attribute for Disabled Users. Then sync the End Date to accountExpires.

Although I am not sure if CA understands the integer8 datetime format of accountExpires.

Kenneth Adams's picture

The EndDate is populated by CA when the user is removed from a Department.  That occurs automatically, so don't be concerned about synchronizing it with AD.

As for the Monitored Employee still attempting to synchronize with AD, CA 8 and above has a configurable setting to automatically stop the synchronization attempts after 30 days by default.  This configuration setting is in place so that any temporary issues with AD access are not cause for unintended synchronization removal.  Once the synchronization option is unchecked, CA won't ever try to synchronize the account again unless someone goes in and enabled the synchronization again.

Ken

Ken Adams

Backline Support for CA, DA, ACE, UCE, PSTD, ARMS, EVDC
US Support Region

SOLUTION