Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-20564: adclient shows incorrect membership if member object is moved in AD

Authentication Service ,  

15 April,20 at 09:31 AM


If the user object is moved in Active Directory (For example, from one container moved to another one). The result of command adquery group <group> -m is not showing the moved user as a member even if the membership remains unchanged.

For example:

  1. adquery group g1 -A --> Shows 2 member correctly
  1. Move user1 to a different container in AD
Before: ivan.lab/Users/user1
After: ivan.lab/Centrify/user1
  1. adquery user m1 -A --> Shows the location change correctly
[root@centos 5.5.2]# adquery user user1 -A
  1. adquery group g1 -A --> Doesn't see the change of user1 but user1 is missing from unixMembers


When moving the AD user object, the AD user object usnChanged will change (This is where we determine if this object information is updated or not), however the usnChanged will not change for the groups. The group object cache will keep the user's old DN and this causes adclient fail to locate the moved user. Therefore, adclient requires a group cache rebuild in order to detect the AD object changes.


To ensure the most updated group membership after moving its member objects in AD, you can run the following commands to temporary workaround the issue:

1) adflush (To rebuild the entire cache)


2) adobjectrefresh -g <groupname> (To rebuild the specific group cache)


This issue has been fixed in Centrify Infrastructure Service 19.6 release.