Hello Dear Community,
We have implemented Active directory integration with Flexera cloud for user information. However, we noticed that our SCCM integration (User.xml) has also brought in user accounts which are domain accounts, secondary accounts that are not part of AD.
Is there a way we can disable the SCCM user.xml portion so as to restrict SCCM from creating those users in the environment. What would be the potential impact if such a change would be made?
Thank you
Cloaky
‎Mar 24, 2020 11:49 AM
You will want the users from SCCM to be created if they are not being imported from Active Directory so that you can get the correct license consumption for your User-Based licenses.
A couple of reasons why would there be users in SCCM that are not being imported from Active Directory:
1) Perhaps you have not defined all of your Domains yet to your beacons, but your complete SCCM Inventory has users from these extra domains.
2) Perhaps some of the SCCM devices are on a Local Workgroup, and not on a domain.
FlexNet Manager should be merging the Users from AD and from SCCM based on the combination of Domain Name and Account Name.
‎Mar 24, 2020 02:24 PM
@kclausen I have 2 questions on this topic.
We are seeing SCCM import duplicate users due to the samAccountName being different. The scenario looks like this --
Active Directory imports -- Full Name = John Doe, samAccountName = jdoe
SCCM imports -- Full Name = John Doe, samAccountName DOE1782734643546
We are also seeing many service accounts imported from SCCM that we are filtering out using the User Blacklist feature but they don't all have standard samAccountNames and the blacklist feature is based upon account names.
Have you seen the above scenario and does Flexera have any best practices for handling/filtering the creation of unwanted accounts from inventory sources?
TYA.
‎May 02, 2021 09:19 PM
@dbeckner - In terms of your first question, that is expected behavior. "Full Name" is not unique within Active Directory. For example in your given scenario, you could have two employees at your company that have the same name of "John Doe". They will each have a unique AD Logon Account Name. That is why when FNMS is importing user data from multiple sources of data, unique Users are identified by the combination of Domain Name and Account Name.
In terms of your second question, SCCM is likely picking up a Service Account logon that is not on a domain. For example, the Service Account could be on a computer that is on a Workgroup and not on a domain. Or, the computer is on a domain but the Service Account is a local Windows Logon, not on the domain.
‎May 03, 2021 06:46 AM
Thanks @kclausen Does Flexera have any best practices in the way of handling these accounts that are not standard in naming convention and will be tedious to blacklist individually?
‎May 03, 2021 07:31 AM
You can use a Business Adapter to change the status of those user records from "Active" to "Inactive". Inactive users will not consume against a user-based license, even if they are allocated.
As far as I know, you can only define a Blacklisted User manually through the user interface.
‎May 03, 2021 07:45 AM
@kclausen Thanks for the replies. In the online help section under the Users > General Tab it writes the following --
"Setting a user's status to Inactive or Retired does not prevent license consumption, even from user-based license types. Instead, from the next license reconciliation (by default, overnight), the calculations are identical to those for an unknown user. This means that each device linked to this user falls back to consuming a single entitlement. If the user has multiple linked devices, simply changing the status to Inactive or Retired may result in an increase in consumption from user-based licenses at the next license reconciliation – whereas the user when Active consumed a single entitlement covering all her devices, now each device linked to the Retired user and reporting the same installed software consumes a separate entitlement, so that (for instance) a laptop and desktop computer linked to the same user license for the same user now consume two entitlements rather than the previous one. This underlines the importance of reassigning devices before changing the user status value. When you select Retired, a warning dialog appears if this user is linked to resources (such as assets or inventory devices), or has been assigned particular responsibilities. In this case, it is best practice to cancel the change, and first transfer the resources and responsibilities."
Based on that blurb does it mean that if you set users to inactive you also need to transfer their responsibility as a calculated user on a machine to another user or else the user will continue to consume a license? I want to make sure I understand how the "inactive" status would work in the tool.
‎May 03, 2021 09:27 AM
Changing the status of a User to "Inactive" is the equivalent of changing the status of an Inventory Device to "Ignored".
The items you mentioned from on-line help does not seem to be up to date. I did did a test in FNMS Cloud for a User license and a Named User license. After changing the status of the User record to "Inactive", then on the consumption tab of both licenses, I still see the inactive users but their consumption is 0.
In your case, the Users that you are changing the status to 'Inactive" are just Service Accounts. They don't represent a live human being. What the On-Line Help refers to is a Best Practice for a user that represents a live human being. If you have an employee that leaves your company, you need to review all of the assets for that user (Hardware Assets, Inventory Devices, user-based licenses, etc.) and transfer them to someone else, put them into a status of "Storage", etc.
‎May 03, 2021 09:58 AM
@kclausen Awesome explanation. Thank you very much. This will help clear up some confusion on this topic.
‎May 03, 2021 10:02 AM