users which are inactive in Active Directory but in Password Safe it's showing Active, I don’t know how it’s possible!!
PasswordSafe User Management
Page 1 / 1
If users are disabled in AD, Password Safe won't be aware of these changes unless the group containing the AD users is synchronized
If you are using a directory query (memberof=CN=...”, use advanced LDAP syntax to remove not include accounts that are disabled.
If users are disabled in AD, Password Safe won't be aware of these changes unless the group containing the AD users is synchronized
If we've onboarded AD users individually from User Management and created groups locally in Password Safe to assign them, group synchronization won’t work as expected, right? Is there another configuration we can apply, or is it mandatory to onboard AD users along with their AD groups to ensure the correct user status is reflected?
If users are disabled in AD, Password Safe won't be aware of these changes unless the group containing the AD users is synchronized
Automatic Sync is already enabled, still we are getting around 100 users which are disabled in Active Directory and still showing inactive in PasswordSafe.
If users are disabled in AD, Password Safe won't be aware of these changes unless the group containing the AD users is synchronized
Automatic Sync is already enabled, still we are getting around 100 users which are disabled in Active Directory and still showing inactive in PasswordSafe.
Am I correct in my interpretation that inactive is a typo and the issue is that the accounts are still showing as active, based upon your previous description, rather than disabled/inactive as you expect based upon the AD state?
How large/complex is your domain? Is it possible that domain replication may not have completed for the accounts which are disabled, and PWS is interacting with a domain controller which has not yet completed replication?
Is the Automatic Sync option enabled both on the group and the RBAC > Active Directory Group Synchronization setting - and what frequency is it set to, is it the Global option of once per day or more frequently on the group?
If you are certain replication has occurred, have you forced a sync for that specific group manually to see if that produces a different result?
if you are referring to the users in configuration>(Role Based Access)User Management>Users. Once a user is onboarded either manually or by means of an active directory/local group. You can only remove users from here if they have not used PWS. That is because an audit trail exists and cannot be deleted. They will have the following Icons in the status column for their entry the icons are as follows:
Active - circle with a check
Inactive - Circle with a Minus
Expired - Alarm Clock
Quarantined - Radioactive symbol
Disabled - Circle with a Minus
inactive and disable both have the same icon, if you hover over the icons with your mouse you will see as in the example below which one it is.
That is how you can tell or you can filter by status but you may get multiple icons in that column.
now if you want to delete those that are expired/disabled/inactive chose one from the drop down for STATUS filter, I would chose disabled. you should see multiple icons in the status column. check the account you wish to delete (you must delete them one at a time) then click the ellipsis( three vertical dots) on the right and choose Delete User. you will be asked if you are sure you want to delete that user, select delete.
Now if you get an error then the user has events in the database and cannot be deleted. So you can only remove users from here if they have not used PWS. That is because an audit trail exists and cannot be deleted.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.