02-26-2008 09:56 AM - edited 02-21-2020 10:20 AM
I use ACS 4.1 on a Windows server that looks up unknown users in Active Directory. Users in AD are in various groups and ACS has these groups mapped to the ACS groups so that users are granted appropriate access to their needs. This has worked well.
I am now seeing that users are are removed from one AD group and added to another group do not have this change reflected in the ACS system. This is because ACS only looks at the AD group for *unknown users*. The user who has moved AD groups was an unknown user, but, upon first logon, that user became a discovered user. From that point forward, only credentials are checked, not group membership.
On the User Setup section in ACS, there is a button to *Remove Dynamic Users*.
I would love to know the following:
1. Is there a way to have ACS check the current group assignment in AD for *Discovered Users*?
2. If not, is there a way to automate the *Remove Dyanmic Users* fucntion? I have used CSUtil in the past but it seems a little cumbersome for this feature in that I had to dump out the users, reformat the output, and then push the deletion back through. I don't recall it making distinctions of known versus discovered users. It just had users names in ACS groups.
Any insights would be greatly appreciated!
02-29-2008 12:00 AM
The only way I can think of here is to use *Remove Dynamic Users* option , so that it fetch again the user information from AD instead of picking it from cache.
Regards,
~JG
Do rate helpful posts
03-04-2008 01:16 AM
ACS 4.2 supports the ability to not create Dynamic Users in the first place, so maybe that's an option for you. That will probably put an extra load on ACS and AD, so YMMV. Check out the Release notes.
That said, this version was released about a week or two ago and there are a few bugs/caveats that are 'showstoppers' (at least for me.)
03-04-2008 07:10 AM
Right, I mention that in my original post. But it requires me to go in and do it. Not the automated process I am looking for.
The other approach I mentioned is to script around the CSUTIL command. While it meets part of the automation requirement, it is not very robust and does not do exactly what I am looking for. It also becomes another complex script that I would have to support.
Thank you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: