Unity creating new AD objects :Unity 4.2.1 E2k3 UM

Unanswered Question
Feb 11th, 2008
User Badges:

I realize that the correct order to remove accounts is to delete the Unity account first, and then delete the associated AD/Exchange account after. That said, should the unity application have the capability to re-create deleted AD accounts when it syncronizes from SQL to AD? - is there a way to stop this behavior other than to delete the unity account first, before the AD object?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ranpierce Mon, 02/11/2008 - 12:32
User Badges:
  • Silver, 250 points or more

yes when you run/ran permissions wizard you could have not given the directory account permissions in AD.

I am not possitive but I think PW only gives

permissions and not takes away so if the account already has permissions then you need to plan. (make different accounts maybe)

Jeff am I right?


maratimer_2 Mon, 02/11/2008 - 13:09
User Badges:

we only gave the accounts permissions as required/documented - and selected only "import unity accounts, not create"....

Not sure exactly what you are referring to.

ranpierce Mon, 02/11/2008 - 13:48
User Badges:
  • Silver, 250 points or more

That is exactly what I was referring to. Unity should not be able to create in AD as far as I understand it.


maratimer_2 Tue, 02/12/2008 - 11:30
User Badges:

Well this is exactly what they are doing whenever we reboot a server and it does a full synch (assuming the AD account has already been deleted and the unity account has not), the AD object is recreated in the Unity OU in the customer's AD

Jeff - is this behavior normal or should I open a TAC ticket? Is there a way to manually remove this permission from the Unity accounts (and which one - unitydirsvc?).


maratimer_2 Mon, 02/25/2008 - 07:54
User Badges:

Question to Cisco engineers- are there any permissions which can be removed so that Unity can not create AD accounts when doing a resynch if the AD account has already been deleted, but the unity account still exists in the UnityDB. Should I open a TAC ticket for this or is this expected behavior?

We only configure Unity to "import existing users" although I can not guarantee that someone at some point did not select the "create existing accounts" at one point in time when running the wizard....

Thank you.


This Discussion