Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-11863: adquery group {groupname} returns user lists that include non-zoned users

Authentication Service ,  

21 March,19 at 04:16 PM

Problem:
When running the adquery group command, it is expected to see only accounts that are zoned to the server where the adquery group command was executed. However, it is possible that users deleted from the group may appear.



Example below:
 
$ adquery group testadm 
testadm:x:64310:william,sboddu,thomas

 
$ adquery user thomas 
thomas is not a zone user 

It is seen from above that user thomas appeared in the adquery group result, but a check on that user ID itself reveals that the user is not zoned.



Cause:

Adding a user to an Active Directory group, then removing user from the group will update the uSNChanged attribute of the group.
But if an existing member user account is deleted from Active Directory, the containing group usnChanged will remain UNCHANGED.




Solution:

Run the following command to refresh the AD group object on the Centrify server:

 
# adobjectrefresh -g testadm


Additionally, the following parameter can be modified in the /etc/centrifydc/centrifydc.conf file so that the group will automatically refreshed, whether there is a change or not:
 

adclient.cache.object.lifetime: 8


The above setting will cause the cache to be automatically refreshed every 8 hours.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.