Manage Users and Groups with ADSync

Related: Active Directory Mapping

Delete Users and Groups

Deleting an AD user leads to marking the corresponding DS user as deleted. But you cannot delete the user in DigaSystem Admin or DPE Admin.

In this case you can change the AD user in a normal DigaSystem user and now you can change it in DigaSystem Admin or DPE Admin. As well you can delete the user now.

Note

Existing users and groups might have configurations of value. This might not be considered on side of AD because all configuration for DigaSystem is done on side of DigaSystem. To not delete those DigaSystem users but mark them as deleted protects this configuration work until they are really removed on DigaSystem side.

Delete and re-adding Users and Groups

Deleting an AD user leads to marking the corresponding DS user as deleted. When re-adding an AD user with the same name the DS user name has to be made different from the one that is marked as deleted, e.g.:

AD actionCorresponding DS action
Add user "test"User "test" is created
Delete user "test"User "test" is marked as deleted
Add user "test"User "test1" is created

Instead of deleting and re-adding users consider to disable and enable user.

An alternative would be to convert the deleted DS user into DigaSystem-only user and delete it from the DigaSystem before re-adding it to AD, e.g:

AD actionCorresponding DS action
Add user "test"User "test" is created
Delete user "test"User "test" is marked as deleted
XUse DigaSystem Admin to convert user "test" to DigaSystem-only and physically delete it.
Add user "test"User "test" is created

Deleting an AD group leads to marking the corresponding DS group as deleted. When re-adding an AD group with the same name the new group cannot be added as the soft-deleted group with the same name still exists. A warning is issued.

AD actionCorresponding DS action
Add group "test"Group "test" is created
Delete group "test"Group "test" is marked as deleted
Add group "test"No group is added. A warning is issued.

In case you want to re-organize

In an Active Directory environment it is seen as best not to delete and re-add users but to disable those users and enable them again. This protects the configuration on both sides and makes the same results.
Before you enable the disabled users and groups you might move them or change their membership to a group. When you move a group or a user out of the scope of the ADSync (e.g. use a user without a group-membership out of the synchronization root) then ADSync does not recognize this user anymore. In this case ADSync treats the corresponding group or user as deleted. Bringing them back to into the scope of ADSync treats them as re-added with the corresponding results of creating a new group or user with a different name.

Users and Groups Names

Rules for valid names (and their maximum length) in AD and DigaSystem differ. The following describes the DigaSystem rules:

DigaSystemUsed IDUser long nameGroup name
Max. length879254
Unicode supportYesYesYes
Allowed characters

Alpha-numeric, Underscore, Minus

AllAll
Escape characterUnderscoren/an/a

AD user names that are equal after being cut to the DigaSystem user name length restriction of 8 characters have to be made unique again. The algorithm for doing this inserts and increments a counter at the end of the name until the name is unique again, e.g.: “MichaelMueller” and “MichaelMeier” would result in “MichaelM” and “Michael1”.

For synchronized users the long name is built by combining the NetBIOS domain name with the AD name, e.g. “MyDomain\MyUserName”. The user id or the long name can be used to logon.

AD group names that are equal after being cut to the DigaSystem group name length restriction of 254 characters are not changed. That means only the first group in a list of identical group names is added, the other groups are ignored and warnings are written to the protocol. 

AD users and groups with names that are equal to a DigaSystem-only user or group name cannot be synchronized and an error will be written to the protocol. 

In particular, an AD user with name ADMIN cannot be synchronized. The user name ADMIN will be automatically filtered (removed) from the AD user list.