Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

NS7 Connector - User Import - Resources Imported Then Deleted!

Created: 03 Nov 2010 • Updated: 13 Aug 2012 | 14 comments

Hey guys,

Have a strange one here.
 
We are using the Connector solution to import users into our NS7 database.
 
What is happening is sthat it successfully imports users into the database and then about 10 minutes later, it slowly removes each users until there are none left (from the imported source).
 
The exact same thing happens when you use either the LDAP or CSV data source. I have tried the others.
 
This happens whether or not 'Delete removed users' is ticked or not - though that shouldd't affect it.
 
Has anyone ever experienced such an issue? It's pretty damn annoying.
 
The important thing to note is that it appears fine at first. Then roughly 10 minutes later is starts clearing the table one by one (vUser - Inv_Global_Windows_Users, Inv_Global_User_General_Details)
 
Screenshots of successful import:
 
 
 
Edit: Attached a .CSV with test data in it to match the above data class mappings. 

Comments 14 CommentsJump to latest comment

Thomas Baird's picture

In the logs, there should be informational messages while the users are being pulled.  10 minutes later has to be a schedule of some kind, and I can't think of any, but there must be something.  I've seen something "like" this in the past, but can't place it.

Oh, and is there any possibility these are being merged with something else?  Merge acts JUST like this.

Thomas Baird
Enthusiast for making things better!

 

Rhys Paterson's picture

There was nothing in the Altiris Log Viewer during either the import or the steady deletion.

Nothing in the Windows event viewer either.

Are there other logs I can check?

I ran some tests and it looks like the resources start deleting like clockwork whenever the NS.Half-Hour.{97829b6d-9541-42a3-9415-51e3234ae8a2} scheduled task runs. It only seems to run for a few seconds, and then the table starts to slowly clear. Here's the SQL for that GUID:

USE Symantec_CMDB
 
SELECT * FROM vItem 
 
WHERE guid = '97829b6d-9541-42a3-9415-51e3234ae8a2'
 
OUTPUT:
Guid
97829B6D-9541-42A3-9415-51E3234AE8A2
 
ClassGuid
79181A10-E30E-4823-BC52-2AC63B918AAA
 
Name
Half-Hour
 
Description
Notification Server Half-Hour Schedule
 
OwnerNSGuid
DB125445-6A0B-4C7F-BED5-4A92E5DCC5AA
 
ProductGuid
D0E33520-C160-11D2-8612-00104B74A9DF
 
SecurityGuid
97829B6D-9541-42A3-9415-51E3234AE8A2
 
Attributes
16
 
CreatedBy
[DOMAIN]\OUR_SERVICE_ACCOUNT
 
ModifiedBy
[DOMAIN]\OUR_SERVICE_ACCOUT
 
CreatedDate
2010-03-23 09:27:13.547
 
ModifiedDate
2010-10-05 12:34:34.687
 
State
<item>    <scheduling>      <enabled>True</enabled><schedule tz="Local" start="2005-01-01 02:20:00 "><trigger type="Daily" exact="True" at="02:20:00 " duration="1.00:00:00" repetition="00:30:00" frequency="1" /></schedule><sharedSchedule>{00000000-0000-0000-0000-000000000000}</sharedSchedule></scheduling>  </item>
 
So, making progress, although I still don't know where to go from here.
 
What would be the implications of disabling this task?
Thomas Baird's picture

we need to find what's removing them, not disable the schedule.

Are you sure there's no other account that's like these and these aren't simply being merged?

Thomas Baird
Enthusiast for making things better!

 

Rhys Paterson's picture

There is nothing in there to merge with.

Unless there are some other tables I need to be looking at?

The Inv_Global_Windows_Users and Inv_Global_User_General_Details tables that make up vUser are both completely empty before I run the import.

Rhys Paterson's picture

The 'Resource Discovery Update' under Settings -> Arellia -> Infrastructure -> Resource Discovery -> Server Discoverers seems to be what is deleting our imported users.

The task has a shared schedule (Half-Hour). Disabling the task leaves our users existing in the database. Running the task manually deletes them from the database.

According to their wiki, the Resource Discovery Update is 'the schedule for retrieving all digital certificates from all applications returned by the File Inventory Agents and thus discovering applications'.

Not really sure what this has to do with our imported users.

Attached are the logs for that time. Seems to be going around reclaiming licences for PRODUCTION\[GUID] where the GUID matches the GUID assigned to the user in the vUser view. Such as:

  Reclaimed license for resource '5bcd4ac4-f0ec-483d-8023-5d00284dc20a' for policy '3cd7c063-5322-49cb-bb01-fad3f223487d' 

 The resource is one of the test users imported, and the policy is Dell Client Manager. Other policies include Dell Patch Management, eiPower Saver, Barcode Solution ect.

I've logged a ticket with their support team.

AttachmentSize
userDeletion.zip 1.41 KB
Rhys Paterson's picture

it's because when my user is imported, no resource key is created.

When I export my user from NS it looks like this:

<resource>
   <typeGuid>fd864f19-4437-4a4f-8709-58eb5e3ae0a4</typeGuid> 
   <managed>false</managed> 
</resource>
 
But it should look like this:
 
<resource>
    <typeGuid>fd864f19-4437-4a4f-8709-58eb5e3ae0a4</typeGuid> 
    <managed>false</managed> 
    <keys>
        <key name="name.domain" value="USER1.TEST" /> 
  </keys>
</resource>
 
Is this what the resource lookup key is for in the import/export settings? Or is that just a check. Am I missing a setting here?
 
Cheers,
Rhys
Thomas Baird's picture

But I don't know the import well enough to know.  The Lookup key is really important for what we do - I just assumed it was created by default.  Sorry - I'm not the genius with that.

Anyone else?

Thomas Baird
Enthusiast for making things better!

 

Rhys Paterson's picture

They have replicated our issue and now understand and accept the problem.

It's getting escalated, so hopefully I should have something to post back soon.

petr_sanda's picture

Rhys Paterson: Can you tell if the ticket is resolved by now ? I just noticed the problem and want to place a ticket as well. If you could place a ticket number, our support engineer could use that to speed up the investigation.

I needed to use the vUser view (or any such table with user information) for my Application meetering reports -> I needed to redesign them from CMS6 to CMS7.. 

When using Monitors (policies) the table Evt_Application_Start saves the record for run application by user but saves instead of username and domain only UserGuid, and without data in vUser, my reports will not work..

Thanks for any help!

Rhys Paterson's picture

No, it hasn't been resolved. I'm not sure of the support number I'm afraid, we've been dealing with their technical support in person.

They've not seen this before and I also have not had an update in quite some time. It's a really annoying problem (we basically can't link machines to users in a reliable manner). It also took a lot of explaing and convincing in person to show them this issue. The Arellia technical support were very helpful in showing us (and Symantec!!) the importance of this key.

I'll update this thread when/if I recieve some more information.

Cheers,

Rhys

KSchroeder's picture

Hi Rhys and Petr,

We are facing the same issue with SMP 7.1 SP2 + RU4 and Arellia Local Security 7.1 SP3.  We are importing users from an external system via Connector rules.  What (if any) resolution did you find for this issue?  We are trying disabling the "User Server Resource Discoverer" task to see if that is the fix, but not sure what the end-effect of this will be.  All we need the Arellia components for are managing the local Administrator password (and potentially some minor user provisioning).  Any tips on other Arellia-related processes we could disable would be great too, since we don't want to gather a bunch of data we don't need or want.

Any input appreciated, and I am contacting Arellia support as well.

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

msainsbury's picture

Creation of User Resources via CMDB Import presents a few issues.  The primary one being that any Resources are created without the necessary ResourceKeys, which will probably result in duplicate User Resources.

Taken from:
http://portal.arellia.com/wiki/display/KB/Creation+of+User+Resources+via+CMDB+Import

Is creating User Resources without ResourceKeys bad?

The definite answer is Yes. This is the official word from the SMP Development team. Whilst Symantec Support may deny it, creation of User resources without the 'name.domain' Resource Key will most probably result in duplicate User Resources within the CMDB.

Whilst CMDB Import tasks do create 'name.domain' Resource Keys for Computer resources, it does not for User resources. The 'name.domain' Resource Key is a requirement for both Computer and User resources.

My newly created User Resources are being deleted!

Arellia's "User Server Resource Discoverer" discovers User resources which have no required ResourceKey and deletes them to ensure that no duplicates will be created in the CMDB.

To disable the automatic delete of User Resources without resource keys, in the configuration tree:
/Settings/Arellia/Infrastructure/Resource Discovery/Server Discoverers

Disable the "User Server Resource Discoverer"

I cannot rely on my Active Directory for importing Users and need to import using the CMDB Import functionality

Whilst this problem has been acknowledged by Symantec development there is still no current fix to the issue.

There are ways to get around the issue however if the CMDB import populates the "Global Windows User" dataclass with the domain name and user id of the user being imported.

Arellia suggests that the following three sql scripts will assist with the User Resource import without Resource Keys being populated, and should check with your Symantec Support Representative before testing or applying any changes.

Detect Imported Users that are a duplicate
select * from Inv_Global_Windows_Users GWU
WHERE EXISTS
	(select 1 from ResourceKey RK where RK.KeyName = 'name.domain' and RK.KeyValue= (upper(GWU.UserId) + '.' + upper(GWU.Domain))
	and RK.ResourceGuid != GWU._ResourceGuid)
Detects Users populated with domain details that should have a resource key populated
select * from Inv_Global_Windows_Users GWU
WHERE NOT EXISTS
	(select 1 from ResourceKey RK where RK.KeyName = 'name.domain' and RK.KeyValue= (upper(GWU.UserId) + '.' + upper(GWU.Domain)))
	AND UserId IS NOT NULL
Detects Users populated with domain details that have a Resource Key that does not match the correct calculated KeyValue
select GWU._ResourceGuid, 'name.domain', upper(GWU.UserId) + '.' + upper(GWU.Domain) AS KeyValue, RK.KeyValue as CurrentKeyValue 
from Inv_Global_Windows_Users GWU 
INNER JOIN ResourceKey RK ON RK.ResourceGuid = GWU._ResourceGuid AND RK.KeyName = 'name.domain'
WHERE
	RK.KeyValue <> (upper(GWU.UserId) + '.' + upper(GWU.Domain))
Inserts ResourceKeys for Users that have Domain details populated, but no corresponding resource Key exists
INSERT INTO ResourceKey(ResourceGuid, KeyName, KeyValue)
select GWU._ResourceGuid, 'name.domain', upper(GWU.UserId) + '.' + upper(GWU.Domain)) from Inv_Global_Windows_Users GWU
WHERE NOT EXISTS
	(select 1 from ResourceKey RK where RK.KeyName = 'name.domain' and RK.KeyValue= (upper(GWU.UserId) + '.' + upper(GWU.Domain)))
	AND UserId IS NOT NULL
Updates ResourceKeys for Users that have Resource Key that do not match the upper case domain details
UPDATE ResourceKey SET KeyValue = upper(GWU.UserId) + '.' + upper(GWU.Domain)
from Inv_Global_Windows_Users GWU 
WHERE
	GWU._ResourceGuid = ResourceKey.ResourceGuid  AND 
	KeyName = 'name.domain'	AND 
	KeyValue <> (upper(GWU.UserId) + '.' + upper(GWU.Domain)) 
	AND NOT EXISTS (SELECT 1 FROM ResourceKey RKC WHERE RKC.ResourceGuid = ResourceKey.ResourceGuid AND KeyValue = upper(GWU.UserId) + '.' + upper(GWU.Domain))
KSchroeder's picture

Thanks Mike for re-posting that article here on Connect!

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.