Deleting an AD user from CI$User

Sandy_Wood

I'm struggling with an issue where a user who is a member of the Portal Analyst AD group is not getting the New button on his portal.

I've run this and it indeed shows '0' for Analyst.

Use ServiceManagement

SELECT Analyst,AssetManager,KnowledgeManager,Username,DistinguishedName

FROM CI$User

WHERE UserName = 'username'

I've resynched AD, restarted CacheBuilder, still no go. I turned on ALL in CacheBuilder and found that the user is indeed in the proper group. My next though was to delete him from the CI$User table in hopes that might yield something. Has anyone done this?

Justin_Workman

@Sandy_Wood
There's nothing to worry about when deleting a user from that table.  You can truncate that whole table if you like.  If you stop the cachebuilder service, then truncate both CI$User and LastModified, then start the cachebuilder service, all users will come back in.  If there are no errors for that user in the cachebuilder log though, I'm not sure that will have much impact(however it may still be worth a try).  I'd verify they are indeed a member of the analyst group specified in Setting Items.  I'd also verify the DistinguishedName in their CI matches the DistinguishedName in AD; though there would be an error in the cachebuilder log if they didn't match.  I hope this helps.

Justin_Workman

The Cachebuilder job for user sync only runs once a day unless you force it to run.  Stop Cachebuilder and truncate the LastModified table and start it back up.

Justin_Workman

@Sandy_Wood
There's nothing to worry about when deleting a user from that table.  You can truncate that whole table if you like.  If you stop the cachebuilder service, then truncate both CI$User and LastModified, then start the cachebuilder service, all users will come back in.  If there are no errors for that user in the cachebuilder log though, I'm not sure that will have much impact(however it may still be worth a try).  I'd verify they are indeed a member of the analyst group specified in Setting Items.  I'd also verify the DistinguishedName in their CI matches the DistinguishedName in AD; though there would be an error in the cachebuilder log if they didn't match.  I hope this helps.

Sandy_Wood

Thanks for the note back on my question. I'll give it a try - at this point I need to try everything!

I've verified my guy is a member of the analyst group specified in Settings Items. His Distinguished name in AD matches the Distinguished name in their CI. This one really has me stumped. I don't suppose there's anyway to force the Analyst role in the database. I'm guessing it will just get reset the next sync.

I've got a support case open to see if there's something else I might do. Funny that this just started happening right after upgrading the portal.

Sandy_Wood

May have stumbled onto the issue. There were two entries for my user in CI$Users. One with Analyst 1, one with Analyst 0. I just deleted them both and am synching AD. We'll see how it goes.

Justin_Workman

That'll do it!

Sandy_Wood

Well, I'm almost there. I deleted the two entries for my user and then restarted Cache Builder. Now I'm getting this in the log

2018-04-04 15:12:57,609, WARN  [   5]:  cn=<my user> is a member of cn=<his groups>, but does not exist in the database.

I've rerun SCSM AD sync twice. Should I just be patient on this?

Justin_Workman

The Cachebuilder job for user sync only runs once a day unless you force it to run.  Stop Cachebuilder and truncate the LastModified table and start it back up.

Sandy_Wood

Did exactly as you suggested, and my user is finally an Analyst! I ran across your suggestion from a KB post somewhere on the site referring to how to 'rebuild' the user db. It seemed that no matter how many times I restarted CacheBuilder nothing changed until I truncated the LastModified table. (You did mention that way back up this thread and I completely ignored it. Gotta pay attention.)

Thanks again!

Justin_Workman

Glad it's working!

Sandy_Wood

Me too!