Highlighted
Intrepid explorer

Inactive Accounts in All Users

It was my understanding that an account will drop out of Flenxet all users, if it was deleted from AD. We have seen this work for some accounts but not others. Is there a document that lays out the process of when/how an account is removed or is this something that has to be done manually?

 

Thank you.

4 Replies
Highlighted
Rising star

Re: Inactive Accounts in All Users

Hi,

As far as I know, there is no extensive description of this process. Here is how I understand it. Like with inventories, there are basically 2 options:

  1. You can create users from external sources (Readers).
    In this process, users are imported from the source to ImportedUser first. From there, the Writer consumes the data and inserts/updates/deletes in the ComplianceUser table. You should be able to understand the mapping by looking into ComplianceUserConnection.

  2. You can create user objects manually or via Business Import.
    In this case, FNMS will not delete the object. I think you can get the type of the user from the ComplianceUser table, ComplianceUserInventorySourceTypeID column.

I am not completely sure, but I guess some changes may lead to a user object changing status and therefore not being removed by FNMS. Or maybe of users are linked to other objects (contracts, etc.), FNMS does not remove them? Again, not sure, but if you run FNMS on prem, maybe looking into the mentioned tables helps a bit.

Also, if you need to remove old data more reliably, you shoud create your own process.

Best regards,

Markward

Softline Group is Europe's leading independent expert in Software Asset Management.
Highlighted
Active participant

Re: Inactive Accounts in All Users

Each Compliance User that comes into FNMS from an inventory import records the import connection (a.k.a. O365, FlexNet Manager Suite, and SCMM) that has supplied information for the user.  Looking at the \ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Writer\RemoveMissingUsers.xml file, it appears that logic is to remove any Compliance User that has been identified in the ImportedMissingUsers table and has no import connections.    It does not appear that the Automatic or Manual connection type influences the operation.   

Highlighted
Rising star

Re: Inactive Accounts in All Users

Hi,

I've just been reviewing the writer and have to agree. If there's a "ComplianceUserConnection" lost (when compared to "ImportedUser"), the user will be removed.

From what I can see, the step "RemoveMissingUsers" does rely on the table "ImportedMissingUser", which is usually provided in the "UserWriter" step (330). There it is filled if a Compliance User Connection is no longer found in the "ImportedUsers" table.

The question is where to amend the logic in out favor. I have some ideas, but one minor issue: I can prevent specific users (e. g. those being tagged as "manual") from being put into "ImportedMissingUsers" and therefore not being removed by "RemoveMissingUsers". Problem is that orphaned "ComplianceUserConnection" entries will stay behind and build up over time.

Best regards,

Markward

Softline Group is Europe's leading independent expert in Software Asset Management.
Highlighted
Active participant

Re: Inactive Accounts in All Users

I build an new Inventory adapter for users.  The source for the adapter is ... FNMS.  So, once a user is put in the system, it does not get removed when all other sources (SCCM, AD, O365, etc...) no longer have the user information.  You can build the criteria in the new adapter to keep the user information that you want to keep.