In the logs, there should be informational messages while the users are being pulled.  10 minutes later has to be a schedule of some kind, and I can't think of any, but there must be something.  I've seen something "like" this in the past, but can't place it.

Oh, and is there any possibility these are being merged with something else?  Merge acts JUST like this.

There was nothing in the Altiris Log Viewer during either the import or the steady deletion.

Nothing in the Windows event viewer either.

Are there other logs I can check?

I ran some tests and it looks like the resources start deleting like clockwork whenever the NS.Half-Hour.{97829b6d-9541-42a3-9415-51e3234ae8a2} scheduled task runs. It only seems to run for a few seconds, and then the table starts to slowly clear. Here's the SQL for that GUID:

	USE Symantec_CMDB


 
SELECT * FROM vItem 
 
WHERE guid = '97829b6d-9541-42a3-9415-51e3234ae8a2'
 
OUTPUT:
Guid
97829B6D-9541-42A3-9415-51E3234AE8A2
 
ClassGuid
79181A10-E30E-4823-BC52-2AC63B918AAA
 
Name
Half-Hour
 
Description
Notification Server Half-Hour Schedule 
 
OwnerNSGuid
DB125445-6A0B-4C7F-BED5-4A92E5DCC5AA
 
ProductGuid
D0E33520-C160-11D2-8612-00104B74A9DF
 
SecurityGuid
97829B6D-9541-42A3-9415-51E3234AE8A2
 
Attributes
16
 
CreatedBy
[DOMAIN]\OUR_SERVICE_ACCOUNT
 
ModifiedBy
[DOMAIN]\OUR_SERVICE_ACCOUT
 
CreatedDate
2010-03-23 09:27:13.547 
 
ModifiedDate
2010-10-05 12:34:34.687
 
State
<item>    <scheduling>      <enabled>True</enabled><schedule tz="Local" start="2005-01-01 02:20:00 "><trigger type="Daily" exact="True" at="02:20:00 " duration="1.00:00:00" repetition="00:30:00" frequency="1" /></schedule><sharedSchedule>{00000000-0000-0000-0000-000000000000}</sharedSchedule></scheduling>  </item>

we need to find what's removing them, not disable the schedule.

Are you sure there's no other account that's like these and these aren't simply being merged?

There is nothing in there to merge with.

Unless there are some other tables I need to be looking at?

The Inv_Global_Windows_Users and Inv_Global_User_General_Details tables that make up vUser are both completely empty before I run the import.

The 'Resource Discovery Update' under Settings -> Arellia -> Infrastructure -> Resource Discovery -> Server Discoverers seems to be what is deleting our imported users.

The task has a shared schedule (Half-Hour). Disabling the task leaves our users existing in the database. Running the task manually deletes them from the database.

According to their wiki, the Resource Discovery Update is 'the schedule for retrieving all digital certificates from all applications returned by the File Inventory Agents and thus discovering applications'.

Not really sure what this has to do with our imported users.

Attached are the logs for that time. Seems to be going around reclaiming licences for PRODUCTION\[GUID] where the GUID matches the GUID assigned to the user in the vUser view. Such as:

  Reclaimed license for resource '5bcd4ac4-f0ec-483d-8023-5d00284dc20a' for policy '3cd7c063-5322-49cb-bb01-fad3f223487d' 

 The resource is one of the test users imported, and the policy is Dell Client Manager. Other policies include Dell Patch Management, eiPower Saver, Barcode Solution ect.

I've logged a ticket with their support team.

it's because when my user is imported, no resource key is created.

When I export my user from NS it looks like this:

But I don't know the import well enough to know.  The Lookup key is really important for what we do - I just assumed it was created by default.  Sorry - I'm not the genius with that.

Anyone else?

They have replicated our issue and now understand and accept the problem.

It's getting escalated, so hopefully I should have something to post back soon.

Symantec and Arellia are now discussing this between themselves.

Hi Rhys and Petr,

We are facing the same issue with SMP 7.1 SP2 + RU4 and Arellia Local Security 7.1 SP3.  We are importing users from an external system via Connector rules.  What (if any) resolution did you find for this issue?  We are trying disabling the "User Server Resource Discoverer" task to see if that is the fix, but not sure what the end-effect of this will be.  All we need the Arellia components for are managing the local Administrator password (and potentially some minor user provisioning).  Any tips on other Arellia-related processes we could disable would be great too, since we don't want to gather a bunch of data we don't need or want.

Any input appreciated, and I am contacting Arellia support as well.

Creation of User Resources via CMDB Import presents a few issues.  The primary one being that any Resources are created without the necessary ResourceKeys, which will probably result in duplicate User Resources.

Taken from:
http://portal.arellia.com/wiki/display/KB/Creation+of+User+Resources+via+CMDB+Import

Is creating User Resources without ResourceKeys bad?

The definite answer is Yes. This is the official word from the SMP Development team. Whilst Symantec Support may deny it, creation of User resources without the 'name.domain' Resource Key will most probably result in duplicate User Resources within the CMDB.

Whilst CMDB Import tasks do create 'name.domain' Resource Keys for Computer resources, it does not for User resources. The 'name.domain' Resource Key is a requirement for both Computer and User resources.

My newly created User Resources are being deleted!

Arellia's "User Server Resource Discoverer" discovers User resources which have no required ResourceKey and deletes them to ensure that no duplicates will be created in the CMDB.

To disable the automatic delete of User Resources without resource keys, in the configuration tree:
/Settings/Arellia/Infrastructure/Resource Discovery/Server Discoverers

Disable the "User Server Resource Discoverer"

I cannot rely on my Active Directory for importing Users and need to import using the CMDB Import functionality

Whilst this problem has been acknowledged by Symantec development there is still no current fix to the issue.

There are ways to get around the issue however if the CMDB import populates the "Global Windows User" dataclass with the domain name and user id of the user being imported.

Arellia suggests that the following three sql scripts will assist with the User Resource import without Resource Keys being populated, and should check with your Symantec Support Representative before testing or applying any changes.

select * from Inv_Global_Windows_Users GWU
WHERE EXISTS
	(select 1 from ResourceKey RK where RK.KeyName = 'name.domain' and RK.KeyValue= (upper(GWU.UserId) + '.' + upper(GWU.Domain))
	and RK.ResourceGuid != GWU._ResourceGuid)

select * from Inv_Global_Windows_Users GWU
WHERE NOT EXISTS
	(select 1 from ResourceKey RK where RK.KeyName = 'name.domain' and RK.KeyValue= (upper(GWU.UserId) + '.' + upper(GWU.Domain)))
	AND UserId IS NOT NULL

select GWU._ResourceGuid, 'name.domain', upper(GWU.UserId) + '.' + upper(GWU.Domain) AS KeyValue, RK.KeyValue as CurrentKeyValue 
from Inv_Global_Windows_Users GWU 
INNER JOIN ResourceKey RK ON RK.ResourceGuid = GWU._ResourceGuid AND RK.KeyName = 'name.domain'
WHERE
	RK.KeyValue <> (upper(GWU.UserId) + '.' + upper(GWU.Domain))

INSERT INTO ResourceKey(ResourceGuid, KeyName, KeyValue)
select GWU._ResourceGuid, 'name.domain', upper(GWU.UserId) + '.' + upper(GWU.Domain)) from Inv_Global_Windows_Users GWU
WHERE NOT EXISTS
	(select 1 from ResourceKey RK where RK.KeyName = 'name.domain' and RK.KeyValue= (upper(GWU.UserId) + '.' + upper(GWU.Domain)))
	AND UserId IS NOT NULL

UPDATE ResourceKey SET KeyValue = upper(GWU.UserId) + '.' + upper(GWU.Domain)
from Inv_Global_Windows_Users GWU 
WHERE
	GWU._ResourceGuid = ResourceKey.ResourceGuid  AND 
	KeyName = 'name.domain'	AND 
	KeyValue <> (upper(GWU.UserId) + '.' + upper(GWU.Domain)) 
	AND NOT EXISTS (SELECT 1 FROM ResourceKey RKC WHERE RKC.ResourceGuid = ResourceKey.ResourceGuid AND KeyValue = upper(GWU.UserId) + '.' + upper(GWU.Domain))