Removed users in UDC after Sync from Active Direct... - Qlik Community

jbchurchill · ‎2023-02-27

We are continuously seeing a very small number of users that show up that show up as Inactive=Yes, Blocked=No, Removed externally=Yes.

They are duplicates of similar user names but the values for the IDs that work are all Inactive=No, Blocked=No, Removed externally=No (these are the users that are actually able to log in).

In other words there is a name here that is essentially the same (with typically some minor difference such as a 1 at the end of the name).

The first type of users keep coming back (getting re-synced). It seems similar to this problem.

https://community.qlik.com/t5/New-to-Qlik-Sense/New-users-are-flagged-as-Removed-externally/td-p/159...

I've not deleted the user directory because I'm worried about the potential problems that might create.

What do you recommend? If removing the UDC is really the way to go (hard to believe), is there anything anyone can tell me to alleviate my fear. We have several people successfully logging in and I do not want to re-assign licenses and/or roles (security rules).

shaun_lombard · ‎2023-02-27

Have you tried deleting the users that have been marked as "removed externally"?

That is what I do on a semi-regular basis.

Removed Externally essentially means that they have been removed from AD.

jbchurchill · ‎2023-02-27

Great Question. Yes I have deleted them and the result is that it removes them initially but they come back in with the next sync.

shaun_lombard · ‎2023-02-27

I suspect that might be how AD is setup at your organisation. I checked our setup and noticed that users are moved to a different OU when they depart. This OU is not picked up by our UDC so those users never return.

Hopefully you are able to tweak your AD query to only include active users.

jbchurchill · ‎2023-02-28

We tried something today and deleted both users and ran the sync task manually which only brought in one user and all three (Blocked, Inactive, Removed Externally) were == "No" (we thought we had fixed it). We then asked the account holder to try and log in again and they were still unsuccessful! When I looked in the QMC the user with the "Yes" values for "Inactive" and "Removed" externally had re-appeared. Any idea what would cause this in AD such as the user logging in again or some process that needs to run before the sync? We do have a synchronization timeout set of 240 seconds.

shaun_lombard · ‎2023-02-28

That user MUST be signing in with the "old" account or it is a caching issue.

I would suggest that the user clears the browser cache and tries again.

jbchurchill · ‎2023-02-28

Your first suggestion holds some promise in my mind. We actually had two users that showed this problem and the second one did show up eventually (but much later in the day). My associate team that manages the AD said that "nothing is different" on their side (also I know that they are successfully using other applications). They also said that it looks like QLIK is using the samAccountName which has a limit of 20 characters. Seems to only be with users with longer names but it is definitely a problem for these users. We are still not sure how to fix it just yet.

Removed users in UDC after Sync from Active Directory

Client Managed

General Question