Rob Brown via FreeIPA-users wrote:
> Our company recently implemented freeipa to replace a cent5 kerberos
> infrastructure. We set it up with a Winsync agreement with an AD domain,
> and is working pretty well.
> Our user disposition workflow in AD is this: user account is disabled,
> and moved to a "terminated users" OU in AD. The account disable sync was
> working fine to IPA, but yesterday I decided to "clean up" the Active
> Users list in IPA, by deleting (with --preserve) all the disabled
> accounts (there were many). This looked fine from the IPA side: the
> accounts got moved into the Preserved users area (in the gui).
> However, much to my dismay I later discovered that all of the termed
> accounts in AD are gone. WHAT!!!???
> This is bad (for historical/compliance), and came as a shock to me,
> because the docs say: "While modifications are bi-directional (going
> both from Active Directory to IdM and from IdM to Active Directory),
> creating or adding accounts are only uni-directional, from Active
> Directory to Identity Management". So WHY ON EARTH would a delete be
> bi-directional? I'm suspecting (hoping) that the accounts weren't
> actually deleted, that they are just hidden somewhere in AD that I can't
> see. PLEASE, if anyone can point me in the right direction here as to
> what happened I would appreciate it.

As someone mentioned in IRC marking a user as preserved moves them from
the user container to cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX.

So perhaps AD honored the rename.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to