Forums MyID knowledge base MY0436 User accounts become automatically disabled LDAP Sync Reply To: MY0436 User accounts become automatically disabled LDAP Sync

MyID Support
Senior Moderator

User not found in directory – Reason 1 – User removed from LDAP then re-added (AD)

This reason is unique to Active Directory with a mapping of ObjectGUID <> UniqueID. The use case goes something like this;

  • User is created in Active Directory.
  • User is imported into MyID (e.g. Add Person, Edit Person).
  • User is removed from Active Directory. The next action triggering the background update disables the user in MyID. (e.g. using View Person, Edit Person).
  • User is re-added into Active Directory. But the background update does not re-enable the user.

This is because Active Directory creates a new objectGUID each time a user is created, even if the rest of the user details are exactly the same as before. Because the objectGUID is now unknown to MyID, MyID cannot synchronise with the new user account in Active Directory.

Recovery :

Should be carried out under the guidance of Intercede Customer Support. But the recovery is basically to set the “UniqueID field in SystemAccounts to NULL for the associated user. MyID will then fall back to a secondary means of synchronising, which is to use the users DistinguishedName (DN) in LDAP. If a unique match can be found then MyID will re-populuate the UniqueID field with the new ObjectGUID value. After that, MyID should then be able to successfully synchronise the user account with its corresponding user record in LDAP.