Missing user in AD group

Hello,

I have Openfire 3.3.2 installed on an Windows 2000 box chugging away happily. However I am missing a user from the AD group we use for messaging in our company. In AD I have added all users to a single group (west) and have set that group as “Enable contact list group sharing” - “on”. The AD shows the list as having 26 members, but Wildfire lists only 25 members in the “Group Summary” group listing for “west”.

I checked to see if I could search for the missing user with the “User Search” tool in Wildfire, and Wildfire corrrectly displays the user’s contact info and group membership. So even though Wildfire recognises the user is in the “west” group, it does not "see’ that user when examining the “west” group or display that name in the “west” group in Spark. It’s a shame as the user is my manager and is the only one who does not show up automatically!

Any suggestions?

Scott

I suppose I could do my manager in and then it would not matter - but I would prefer a cleaner solution!

Are there any irregularities in his profile in AD? Does his username show up in the user list without a search? Is his user account in a different OU in AD that may be outside the scope of your LDAP config of Openfire (the account would still work but not show in the Openfire server)?

Hello “mtstravel”

Thanks for the reply,

No, there are no irregularities I can find in the user’s AD profile. His user name DOES show up when you search - I presume you mean a user search in Openfire. Others in the same OU do display in the user list so his OU is not outside the scope of the LDAP config string.

Scott

I don’t want you to search. Manually go through the pages of the listed users to see it it shows (tedious I know). All the characters of his username are standard alphanumeric?

mstravel, thanks for the hand!

Yes, The user shows up in the user list and is logged in.

The other thing is how many users are we talking here? AD has some built in limits. You may need to increase the MaxPageSize http://support.microsoft.com/?kbid=315071.

As unlikely as it is you may just have a corrupt AD group. To test this you could create a test group and supply it with the same members as the group in question. Starting with the missing member, and test that.

corruption sounds more probable as we are a small installation of ~200 users. The limit of 10,000 records that applies in our case would be sufficient even with all the mchine accounts and other accounts.

The user does not show up in the new AD test group in Openfire - He is the only member.

Sorry was drooling over new ipods. That brings be back to the user profile. It would appears as though there is something amiss with his profile in AD. I would concentrate there. I feel you have ruled out OpenFire (manual browse to find), AD group corruption. That leaves User account issues in AD.

I am wondering if the user ID in question has a primary group defined. This can cause problems with LDAP queries. See this article (not so good): http://support.microsoft.com/kb/275523

No, he has no primary group defined. His profile is identical ( for these purposes ) to others in his OU and group.

Are you using Exchange? If not could his user ID be recreated without too much difficulty?

I am going to give that a try even though he is on Exchange. Messy but doable. I think his user ID is corrupt. I recall his account was automatically linked to an imported exchange Exchange account with the same name but wrong person. IT was a headache to get the account detached and set up correctly. This will take a while.:frowning:

It is fairly simple to do this with the Exchange tasks menu on you AD server. I have a procedure here for it somwhere it only takes a few minutes to move the mailbox. The tedious part is group membership.

See this KB article: http://support.microsoft.com/kb/274343

Thanks, I’ll give it a try.

I have deleted the user in the AD and recreated a new user in the same OU as the old user with the same group membership. The new user has a similar ID and has been linked to the Exchange mailbox for the old user name. The user still does not show up in the Openfire group.

I craeted a test user with the same group membership and OU. That user does display in the Openfire Group.

I wonder if the problem is linked to Exchange. I will try disassociating the user from Exchange and re-creating the ID again without making an Exchange association.

Am I barking up the wrong tree?

Scott

I would tend to think you are barking up the wrong tree when it comes to exchange. That said it does not hurt to try. Does he show up in any group at all on Openfire (create a new group to test). Add everybody else to the new group that he does show in. Does he still stay there as well as all the other users?

Scott -

You’re not the only one seeing this issue. I’ve been battling this one for a while. I have 4 users that exhibit the same “weirdness” you are describing here. I’ve also tried a few more things that seem to boggle the mind:

I took one of the users affected by this and “renamed” her name in active directory. (We use firstname.lastname as a standard for our user accounts.) so i renamed her (for example) firstname.lastname1 i waited a bit for it to populate out to all our servers and then went into openfire, cleared the cache and low and behold, the person shows CORRECTLY in the group listing in openfire. i try then to create a new user (as you have mentioned trying) with the correct naming info - firstname.lastname and it DOESN’T show in openfire. When i tried to change the name back to correct one, it stops showing again.

I’ve been tracking several posts in the forum about this issue - here’s just one of them - http://www.igniterealtime.org/community/thread/26283

If you figure out the way out of this “user black hole”, let me know, as I definately would like a map!!

Kurt

Kurt,

Thanks for cross-posting. This seems to be no small issue. I am sure it is an LDAP query problem, but I do not have the skill to troubleshoot LDAP problems.