ODMAD DirSync is not populating user's membership in security groups (4371506)

ODMAD DirSync is not populating user's membership in security groups

A specific user account was failing to synchronize and could not be matched with its corresponding object in the target environment. Despite this, all security groups to which the user belonged were successfully matched and synchronized.

After the underlying issue preventing the user from matching was resolved, the user synchronized successfully. However, the user’s group memberships did not synchronize to the target. The user remained missing from all corresponding target security groups, even after multiple re-sync attempts.

During security group synchronization, ODMAD DirSync retrieves group membership using the “member” attribute. This process relies on the USN (Update Sequence Number) value stored in the backend SQL database to determine whether an object has changed since the last sync.

If the source object's current USN is equal to the USN value already stored in the SQL database, ODM interprets this as “no changes detected.” As a result, the object is not included in the sync cycle, and the group membership does not get updated.

Note: the issue can also be caused by missing Read of the target environment. Match cannot be completed without reading.

To resolve this issue, ODMAD DirSync must detect that the source security groups have changed. Because DirSync tracks changes using USN values, if no updates are detected on the groups, the service will not process them again.

Option 1

• Apply a minor update to every source security group that the affected user is a member of. 
  • This forces a new USN value so that ODMAD recognizes the group as updated.
  • Examples of valid “small changes”:
    • Add a space in the Description field
    • Modify any extensionAttributeX value
• After saving the changes, re-run the migration workflow that includes these groups.

Option 2

• Use the option “RESET DELTA READ UPDATE SEQUENCE NUMBER (USN) ON NEXT READ”.
  • This instructs ODMAD to refresh its USN baseline and pull the latest updates from the environment on the next sync cycle.
  • This option can be used when manually updating each group is not practical.
  • A sample screenshot is shown below:

 

Note: You may revert the attribute to its original value afterward, if required. The temporary modification is sufficient to register as a change in the Active Directory object and will generate a new USN (Update Sequence Number). This updated USN allows the synchronization process to detect the object again and continue processing normally.