rclark0
Level 6

Inactive Accounts in All Users

It was my understanding that an account will drop out of Flenxet all users, if it was deleted from AD. We have seen this work for some accounts but not others. Is there a document that lays out the process of when/how an account is removed or is this something that has to be done manually?

 

Thank you.

6 Replies
mfranz
Level 15

Hi,

As far as I know, there is no extensive description of this process. Here is how I understand it. Like with inventories, there are basically 2 options:

  1. You can create users from external sources (Readers).
    In this process, users are imported from the source to ImportedUser first. From there, the Writer consumes the data and inserts/updates/deletes in the ComplianceUser table. You should be able to understand the mapping by looking into ComplianceUserConnection.

  2. You can create user objects manually or via Business Import.
    In this case, FNMS will not delete the object. I think you can get the type of the user from the ComplianceUser table, ComplianceUserInventorySourceTypeID column.

I am not completely sure, but I guess some changes may lead to a user object changing status and therefore not being removed by FNMS. Or maybe of users are linked to other objects (contracts, etc.), FNMS does not remove them? Again, not sure, but if you run FNMS on prem, maybe looking into the mentioned tables helps a bit.

Also, if you need to remove old data more reliably, you shoud create your own process.

Best regards,

Markward

Softline Group is Europe's leading independent expert in Software Asset Management.

@mfranz to your second point are you stating that if you have a business adapter that is importing users from AD and those users no longer exist in AD then next import job the adapter runs will not remove the missing users from the compliance table?

 

We have active directory imports running on our beacons but also have a business adapter setup to import users from 2 different sources of user data - a peoplesoft DB and Active Directory. During this process we map the users to their corporate unit. I have noticed recently that the users are not being removed from the compliance db after they are removed from AD.

 

If this is normal behavior have you see a good method for removing the stale users?

Like some ComplianceComputers imported from readers are related to ImportedComputer (via ComplianceComputerConnection), so are some ComplianceUsers related to their source (ImportedUser via ComplianceUserConnection). This relation (and I believe, a specific column), enables FNMS to remove these elements (computers, users, ...) when they were removed from the orginal source. This only applies to objects brought in via a reader (e.g. ManageSoft aka FlexNet Manager Suite).

Objects that were originally created by a business import, are not automatically removed. There are exemptions, business import can remove allocations and stuff. To have a business import properly remove objects (users, computers), I usually implement my own SQL as a custom query. Of course, this only works on-prem, as FNMS Cloud/Flexera One does not allow you to mess with the database 🙂

Softline Group is Europe's leading independent expert in Software Asset Management.
0 Kudos
RobertH
Level 5

Each Compliance User that comes into FNMS from an inventory import records the import connection (a.k.a. O365, FlexNet Manager Suite, and SCMM) that has supplied information for the user.  Looking at the \ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Writer\RemoveMissingUsers.xml file, it appears that logic is to remove any Compliance User that has been identified in the ImportedMissingUsers table and has no import connections.    It does not appear that the Automatic or Manual connection type influences the operation.   

Hi,

I've just been reviewing the writer and have to agree. If there's a "ComplianceUserConnection" lost (when compared to "ImportedUser"), the user will be removed.

From what I can see, the step "RemoveMissingUsers" does rely on the table "ImportedMissingUser", which is usually provided in the "UserWriter" step (330). There it is filled if a Compliance User Connection is no longer found in the "ImportedUsers" table.

The question is where to amend the logic in out favor. I have some ideas, but one minor issue: I can prevent specific users (e. g. those being tagged as "manual") from being put into "ImportedMissingUsers" and therefore not being removed by "RemoveMissingUsers". Problem is that orphaned "ComplianceUserConnection" entries will stay behind and build up over time.

Best regards,

Markward

Softline Group is Europe's leading independent expert in Software Asset Management.

I build an new Inventory adapter for users.  The source for the adapter is ... FNMS.  So, once a user is put in the system, it does not get removed when all other sources (SCCM, AD, O365, etc...) no longer have the user information.  You can build the criteria in the new adapter to keep the user information that you want to keep.