Duplicate Drive Encryption users shown after running the query 'DE: Users' or 'EE: Users'
Technical Articles ID:
KB76111
Last Modified: 2024-01-06 09:08:42 Etc/GMT
Problem
You see duplicate users after you run the DE query report DE: Users.
The MfeEpe.log records the following errors:
ERROR
|
SatusService
|
Failed to add Drive Encryption users |
ERROR
|
EpoPlugin
|
userHandler: failed to process batched user data response: [0xEE050006] [0xEE050006] Following exceptions were raised when processing user list class EPE_user_exists_exception: [0xEE050001] The user <username> already exists: Code :3993305089 |
System Change
More than one registered server has been created for the same domain.
Cause
Duplicate users can be created in the following scenario:
- If multiple entry points exist to the same Active Directory forest, and
- If ePolicy Orchestrator (ePO) can query the same user objects from two different ePO Registered LDAP Servers
The problem often occurs when two Registered LDAP servers are directed to the same domain. But, it can also occur if:
- Multiple Registered LDAP Servers are directed to child domains
And
- The Global Catalog or Chase Referrals option is enabled.
DE allows duplicate users if the same domain is registered twice with different Registered LDAP Servers.
Solution
1
To prevent duplicate users:
- Don’t create more than one Registered LDAP Server to the same Root Domain (RootDN).
If child domains are used:
- We suggest that you set the Registered Server to be directed to the top level of the forest.
- Use a Global Catalog or Chase Referrals to access user objects that exist in the child domains.
- For high availability, configure the Registered LDAP Server so that it’s directed to the RootDN using the “Domain name” option. This arrangement is preferred over the Registered LDAP being directed to a single Domain Controller using the “Server name” option.
Solution
2
To resolve the existing duplicate or orphaned user issue:
WARNING: The following actions cause any duplicated or orphaned users to become uninitialized. These users lose the following associated information:
- Data
- Password
- Single Sign On (SSO)
- Recovery information
- Upgrade the ePO Drive Encryption extensions to 7.2.0. Follow the steps in the DE Product Guide.
- Stop the ePolicy Orchestrator Server service (Apache) on the ePO server and any Agent Handlers.
- Click Menu, Automation Server, Server Tasks and disable the LdapSync: Sync Across Users from LDAP task.
- Identify the duplicated Registered LDAP Server and change the name to Duplicated:
- Click Menu, Configuration, Registered Servers.
- Select the duplicated Registered LDAP Server.
- Click Actions, Edit.
- Rename the LDAP server to Duplicated.
- To identify the Registered Servers LDAP ID and Orion ID, run the following query in SQL:
SELECT OrionLdapServers.ID as LdapID, OrionRegisteredServers.Name from OrionLdapServers
INNER JOIN OrionRegisteredServers
ON OrionLdapServers.RegisteredServerId=OrionRegisteredServers.ID
- Correct any System Tree Synchronization points:
- From System Tree, click the Group Details tab and view the Synchronization Type option for each sub group.
- If the Synchronization type shows configured, edit the configuration.
- If the Active Directory domain is configured to use Registered LDAP Server, select the correct registered server. Make sure that the duplicate registered server isn’t selected.
- Click Save.
- Correct any User-Based Policy Assignment Rules:
- Click Menu, Policy, Policy Assignment Rules.
- For any rules tagged as User, click the name to edit the rule.
- Click the Select Criteria tab.
- Click the +Folder option next to the User/Group/OU criteria.
- Click the Look in drop-down list and select the correct Registered LDAP Server.
- Identify and select the same User, Group, or OU that was previously configured.
- Click OK.
- Repeat the process for any additional Users, Groups, or OUs.
- If needed, modify the configuration for the original Registered LDAP Server for the domain to be directed to the RootDN of the domain. Also, enable Global Catalog or Chase Referrals. For more information, see KB79047 - Users are deleted after disabling the Global Catalog option on the LDAP registered server.
- To correct assigned AD Groups and OUs:
- Run the following query in SQL:
Select EPOBranchNode.NodeName, OrionLdapItems.ServerId, OrionLdapItems.Dn, EPOBranchNodeID
From EPEBranchGroups
INNER JOIN OrionLdapItems
ON EPEBranchGroups.GroupID=OrionLdapItems.ID
INNER JOIN ePOBranchNode
ON EPOBranchNode.AutoID=EPEBranchGroups.EPOBranchNodeID
- Create a Subgroup in Lost and Found.
- Click Encryption Users and add all listed groups to the new Subgroup.
- From Encryption Users, delete the Group or OU from each listed location and add it back using the correct Registered LDAP Server.
- Delete the Subgroup that was created in Lost and Found.
- Enable Autoboot and Active Local Domain User (ALDU) in the Drive Encryption product settings policy:
- Edit the Drive Encryption product policy you’re using.
- Click the Log On tab and select Enable automatic booting.
- Enable Add Local Domain users for either:
All previous logged in users
Or
Currently logged in user
- Click Save.
- To enable Don’t Prompt for Default Password:
- Edit the Drive Encryption User based policies.
- Click the Password tab.
- Deselect the option Change default password, if selected.
- Select Don’t prompt for default password.
NOTE: The Change default password option can't be used with the option Don’t prompt for default password. To prevent unauthorized access to systems with the default password, use the option Expire users who do not login in the Product Settings Policy.
- Remove the EE:ALDU tag from all systems:
- Navigate to System Tree.
- Click This Group Only Preset and select This Group and All Subgroups.
- Select all systems. To select all, select the first system in the list, scroll to the end of the list, and while holding the shift key down, select the last system.
- Click Actions, Tag, Clear Tag.
- Select the EE:ALDU tag, then click OK.
- Create a Duplicate User Query in Queries and Reports:
- Click Menu, Reporting, Queries and Reports.
- Click Actions, New.
- Click Drive Encryption, Drive Encryption – Duplicate Users, then click Next.
- Select Table and click Next.
- Make sure the user name (DE), LDAP server ID, and Registered LDAP server name columns are added, then click Next.
- On the Filter tab, click Save.
- Name the query DE: Duplicate Users.
- To modify the epeAdLookupCache table, follow the advice in KB85872 - 'Add Local Domain Users' fails to assign to client systems, after deletion of Registered LDAP Server. Contact Technical Support for assistance with changes to the SQL database.
- De-assign all Users:
- Click Menu, Reporting, Queries & Reports.
- Run the DE: Users query.
- Select all systems by selecting the first system in the list, scroll to the end of the list and while holding shift, select the last system.
- Click Actions, Drive Encryption, Deassign user(s) from all systems.
- When prompted, click Yes.
NOTE: An error is displayed because any Users assigned via Group, aren’t removed.
- Run the duplicate users SQL query again and identify if any duplicate users still exist.
- Enable the LdapSync: Sync Across Users from LDAP tasks.
- Delete the duplicate Registered LDAP Server from ePO Registered Servers:
- Click Menu, Configuration, Registered Servers.
- Identify the duplicated Registered LDAP Server.
- Configure the original to be directed to the RootDN of the forest.
- Start the ePolicy Orchestrator Server service (Apache) on the ePO server and any Agent Handlers.
- When a system is tagged with EE:ALDU, the user has been reassigned and the original policy can be reapplied to the system.
|