ADSync Troubleshooting

1. Managed User Groups don’t show all Governance Allowed Groups

In case the Managed_User_Groups table doesn’t show all groups in the SharePoint Governance, follow these steps:

  1. Make sure "Enable SharePoint/OneDrive Governance" is turned on in Admin Portal

  2. Add groups to allowed groups in SharePoint sites

  3. Restart ADSync

Look in the logs to make sure it works:

  1. Look for this line in the ADSync log: “groups in SHAREPOINT_SITES table:

  2. The result should show all the groups that ADSync pulled from Governance

 

2. Users not deleted from the Managed/federation users tables

A. Before AD-Sync 1.2.8:

If the AD-Sync found a group with policies and without users, it’s will show the following warning in the logger:
“Found X groups without policies, deleting from TABLE_NAME table was not commited“

In advanced versions, the AD-Sync shows an additional log in the logger that contains also the all groups' names without users:
“The group GROUP_NAME is without users“

To fix this issue, please add users to these groups, or remove these groups from all policies.

B. Starting from AD-Sync 1.2.8: (Alert Codes: 100 and 101)

Background:
AD-Sync sometimes removes many users from the FEDERATION_USER_GROUPS table or from the MANAGED_USER_GROUPS table. It happens when removing a group with a lot of users from EW policies or from allowed groups on SharePoint sites, or when changing the group type in the AD (see OLAM case below). The customers do it usually for a short period when they change groups policies. In this short period, it cause to many problems in the adapter (many subscriptions were deleted, etc.)
To fix this issue, we added a new configuration that prevents deleting many users: “MinUsersNotDelete”.
If the AD-Sync should delete managed users that are more than MinUsersNotDelete - he will not delete them and show the following warning instead:
"The number of users that we are going to delete from TABLE_NAME is X, but is bigger than MinUsersNotDelete, it's probably a problem. so we are not deleting them".

So, if the users are not deleted from the managed/federation users tables, please search in the logger the log that is in the above section (“The number…“) and change the “MinUsersNotDelete“ setting if needed.

27/6/22 - This case happened in OLAM because one of the Managed Groups was changed to Distribution Group and we support only in Security groups. In this case, the AD-Sync not recognised this Distribution group so he want to delete all the users in this group (10K users) from federation/managed user group tables. The protection mechanism was turned on and he prevents this big deletion.