Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
3
Replies

Automating removal of Discovered Users from ACS

RandyElliott
Level 1
Level 1

‎02-26-2008 09:56 AM - edited ‎02-21-2020 10:20 AM

I use ACS 4.1 on a Windows server that looks up unknown users in Active Directory. Users in AD are in various groups and ACS has these groups mapped to the ACS groups so that users are granted appropriate access to their needs. This has worked well.

I am now seeing that users are are removed from one AD group and added to another group do not have this change reflected in the ACS system. This is because ACS only looks at the AD group for *unknown users*. The user who has moved AD groups was an unknown user, but, upon first logon, that user became a discovered user. From that point forward, only credentials are checked, not group membership.

On the User Setup section in ACS, there is a button to *Remove Dynamic Users*.

I would love to know the following:

1. Is there a way to have ACS check the current group assignment in AD for *Discovered Users*?

2. If not, is there a way to automate the *Remove Dyanmic Users* fucntion? I have used CSUtil in the past but it seems a little cumbersome for this feature in that I had to dump out the users, reformat the output, and then push the deletion back through. I don't recall it making distinctions of known versus discovered users. It just had users names in ACS groups.

Any insights would be greatly appreciated!

Labels:
0 Helpful
3 Replies 3

Jagdeep Gambhir
Level 10
Level 10

‎02-29-2008 12:00 AM

The only way I can think of here is to use *Remove Dynamic Users* option , so that it fetch again the user information from AD instead of picking it from cache.

Regards,

~JG

Do rate helpful posts

0 Helpful

clausonna
Level 3
Level 3
In response to Jagdeep Gambhir

‎03-04-2008 01:16 AM

ACS 4.2 supports the ability to not create Dynamic Users in the first place, so maybe that's an option for you. That will probably put an extra load on ACS and AD, so YMMV. Check out the Release notes.

That said, this version was released about a week or two ago and there are a few bugs/caveats that are 'showstoppers' (at least for me.)

0 Helpful

RandyElliott
Level 1
Level 1
In response to Jagdeep Gambhir

‎03-04-2008 07:10 AM

Right, I mention that in my original post. But it requires me to go in and do it. Not the automated process I am looking for.

The other approach I mentioned is to script around the CSUTIL command. While it meets part of the automation requirement, it is not very robust and does not do exactly what I am looking for. It also becomes another complex script that I would have to support.

Thank you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents