Cloaky
Frequent contributor

SCCM users conflict with Active Directory Users

Hello Dear Community,

We have implemented Active directory integration with Flexera cloud for user information. However, we noticed that our SCCM integration (User.xml) has also brought in user accounts which are domain accounts, secondary accounts that are not part of AD.

Is there a way we can disable the SCCM user.xml portion so as to restrict SCCM from creating those users in the environment. What would be the potential impact if such a change would be made?

Thank you

Cloaky

8 Replies
kclausen
Flexera
Flexera

Re: SCCM users conflict with Active Directory Users

You will want the users from SCCM to be created if they are not being imported from Active Directory so that you can get the correct license consumption for your User-Based licenses.

A couple of reasons why would there be users in SCCM that are not being imported from Active Directory:

1) Perhaps you have not defined all of your Domains yet to your beacons, but your complete SCCM Inventory has users from these extra domains.

2) Perhaps some of the SCCM devices are on a Local Workgroup, and not on a domain.

 

FlexNet Manager should be merging the Users from AD and from SCCM based on the combination of Domain Name and Account Name.

dbeckner
Consultant

Re: SCCM users conflict with Active Directory Users

@kclausen I have 2 questions on this topic.

We are seeing SCCM import duplicate users due to the samAccountName being different. The scenario looks like this --

 

Active Directory imports -- Full Name = John Doe, samAccountName = jdoe

SCCM imports -- Full Name = John Doe, samAccountName DOE1782734643546

 

We are also seeing many service accounts imported from SCCM that we are filtering out using the User Blacklist feature but they don't all have standard samAccountNames and the blacklist feature is based upon account names.

Have you seen the above scenario and does Flexera have any best practices for handling/filtering the creation of unwanted accounts from inventory sources?

 

TYA.

 

 

kclausen
Flexera
Flexera

Re: SCCM users conflict with Active Directory Users

@dbeckner - In terms of your first question, that is expected behavior.  "Full Name" is not unique within Active Directory.  For example in your given scenario, you could have two employees at your company that have the same name of "John Doe".  They will each have a unique AD Logon Account Name.  That is why when FNMS is importing user data from multiple sources of data, unique Users are identified by the combination of Domain Name and Account Name.

In terms of your second question, SCCM is likely picking up a Service Account logon that is not on a domain.  For example, the Service Account could be on a computer that is on a Workgroup and not on a domain.  Or, the computer is on a domain but the Service Account is a local Windows Logon, not on the domain.

dbeckner
Consultant

Re: SCCM users conflict with Active Directory Users

Thanks @kclausen Does Flexera have any best practices in the way of handling these accounts that are not standard in naming convention and will be tedious to blacklist individually?

0 Kudos