KB1029
Summary
Axiom user accounts are being disabled on a repeated basis, and users cannot log in using their Windows Active Directory (AD) credentials.
Details
If your system uses Windows Authentication and has Active Directory Synchronization enabled, your Master System User (MSU) may create a Scheduler job to synchronize Axiom security with one or more Active Directory Security groups in your domain. By design, if your Information Technology department disables or removes users from the designated Active Directory Security groups, those users will also be disabled in Axiom Security whenever the Scheduler job runs. If you have a new user that you have added in Axiom Security before IT has added the user to Active Directory, you can create exceptions so that the user does not get disabled every time the Scheduler job runs.
Example Active Directory Import Scheduler results with disabled user accounts
NOTE: Your Information Technology team manages Active Directory on your domain and controls which users are added or removed. Contact your local IT help desk for assistance with managing users in AD groups.
Resolution
Confirm with your IT department whether the users getting disabled are members of the AD Security Group designated to synchronize with Axiom. Ensure that their user name in AD matches their Axiom login.
If you are unsure which AD security groups are associated to Axiom Rolling Forecasting, your MSU or Axiom system administrator can check the Active Directory Import task in Scheduler.
To determine which AD security groups are designated to sync with Axiom:
-
On the Axiom tab, in the Administration group, click Manage > Scheduler.
NOTE: In systems with installed products, this feature may be located on the Admin tab. In the System Management group, click Scheduler.
-
In the Scheduled Jobs tab, double-click the Active Directory Import job to open it. Note that the name of the job is determined by your MSU and may not be the same as the example below.
- In the Tasks section of the job, select Active Directory Import.
- In the Task Details, on the Source Directory tab, the Active Directory security groups are listed in the Groups to import section.
Alternatively, if the user has been added manually and you do not want them to be affected by the AD Import task at all, you can disable sync for that user within Axiom Security. In order to access Axiom security and change user settings, you must be a system administrator, a subsystem administrator, or a user with the Administer Security permission.
To disable AD sync for a user:
-
On the Axiom tab, in the Administration group, click Manage > Security > Security Manager
NOTE: In systems with installed products, this feature may be located on the Admin tab. In the System Management group, click Security > Security Manager.
- In the Security Management dialog, select the user from the list.
- In the General tab, clear the Directory Sync Enabled check box.
Outcome
Users who have been added to the appropriate AD security group, or who have Directory Sync Enabled unchecked, will not be disabled every time the Active Directory Import Scheduler job runs.
See also
- How Active Directory user synchronization works
- Synchronizing users with Active Directory
- Creating a Scheduler job to import users from Active Directory
Article information
|
Category |
Security |
|
Applies To |
All versions |
|
Tags |
Active Directory, AD Import, Security Group, User Security, Directory Sync Enabled |
|
Issue Number(s) |
N/A |
