Well, I certainly don't understand what happened under the covers, but is
100% clear to me that the users got "deleted" in AD while "preserving" them
in IPA.
I could see an argument where "ipa user-del user --preserve" is technically
still a delete (semantics).
I might look at migrating to a trust
Rob Brown wrote:
> yeah, I did find the users in AD under:
> CN=Deleted Objects,DC=foo,DC=domain,DC=com
> and, the users actually have the attribute:
> isDeleted = TRUE
> so, looks like they were actually deleted (from AD perspective).
> It seems like the delete sync is two-way (surprising, since c
Rob Brown via FreeIPA-users wrote:
> Our company recently implemented freeipa to replace a cent5 kerberos
> infrastructure. We set it up with a Winsync agreement with an AD domain,
> and is working pretty well.
> Our user disposition workflow in AD is this: user account is disabled,
> and moved to