RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

RM Unify AD Sync log contains error "Failed to process movement for User"
Published Date : 30 Nov 2015   Last Updated : 04 Oct 2024   Content Ref: TEC4884695  


Operating System(none)
Part No(none)
SummaryExplains why an error message "Failed to process movement for User" is displayed in the AD Sync log.



Symptoms

The RM Unify AD Sync log contains one or multiple entries of the following error:

"Failed to process movement for User <username> (<ADSyncID>) - System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There is no such object on the server",

where <username> is an Active Directory user account and <ADSyncID> is the unique ID assigned to the user by RM Unify AD Sync".

In addition to this error you can see that the user is listed in the Users node of the RM Unify AD Sync Configuration Tool and has an active RM Unify account.



Cause

This error occurs when:

  • the organisational unit containing the user's Active Directory (AD) account has been deleted. By deleting the account in this way (rather than directly deleting the AD account), RM Unify AD Sync does not detect the deletion, retains the user in the RM Unify AD Sync database and therefore, the RM Unify account remains active along with any linked applications such as Microsoft 365, Google Workspace, etc. - this issue is resolved in AD Sync v4.
  • the user, which has an RM Unify account provisioned via an active AD filter, is moved in the AD to a new location/OU which is not scanned by an active AD filter and is then deleted. If AD Sync is unaware of the destination OU (i.e. no AD filter is configured to scan it), then an AD account deletion in that OU will not be detected; the user account will remain in the AD Sync database and also in RM Unify, along with any linked applications such as Microsoft 365, Google Workspace, etc.
  • the identitysyncservice user does not have permission to view objects in the AD Deleted Objects container.


Procedure

Check permissions on the AD Deleted Objects container
  1. Stop the RM Unify AD Sync service.
  2. On a domain controller, open a command prompt as an administrator.
  3. Type dsacls "cn=deleted objects,<DC=cc4,DC=net>" /takeownership, where <DC=cc4,DC=net> is the distinguished name of your AD domain, e.g. dsacls "cn=deleted objects,DC=cc4,DC=net /takeownership".
    Note: The '/takeownership' parameter ensures that you do not see an "Insufficient access rights" message when running the dsacls command.
  4. Check if the identitysyncservice user is listed with Special Access, List Contents and Read Property permissions.
  5. If one or more permissions are missing, complete the following:
    Type dsacls "cn=deleted objects,<DC=cc4,dc=net>" /G <domain>\identitysyncservice:LCRP, where <DC=cc4,dc=net> is the distinguished name of your AD domain and <domain> is the AD domain, e.g. dsacls "cn=deleted objects,DC=cc4,dc=net" /G CC4\identitysyncservice:LCRP.
  6. Press Enter.
  7. Repeat steps 3 and 4 above to confirm that the identitysyncservice user now has the expected permissions.
  8. Start the RM Unify AD Sync service.
  9. Wait for approximately 45 minutes and check if the affected users have been removed from the RM Unify AD Sync Config Tool and are listed in the RM Unify Management Console, Users page under Deleted Users.
  10. If the affected users remain listed, please follow the steps in the section 'How to delete an AD Sync provisioned RM Unify user that no longer exists in AD' below.

How to delete an AD Sync provisioned RM Unify user that no longer exists in AD
  1. Log on to your RM Unify AD Sync server, open the RM Unify AD Sync Configuration Tool and record your current AD filter and role mapping settings.
  2. Close the RM Unify AD Sync Configuration Tool.
  3. Uninstall RM Unify AD Sync from the server via Control Panel, Programs.
  4. Rename the existing C:\Program Files(x86)\RM\RM Unify AD Sync folder to C:\Program Files(x86)\RM\RM Unify AD Sync_reinstall.
  5. Reinstall RM Unify AD Sync.
  6. Open the RM Unify AD Sync Configuration Tool for the first time and immediately close it again - this creates the required config file, but creates it devoid of any specific settings.
  7. Open C:\Program Files (x86)\RM\RM Unify AD Sync_reinstall\RM.Networks.IdentityManagement.config.
  8. Find the line <add key="IdentityGuidSource".
  9. If the line matches <add key="IdentityGuidSource" value="rmCom2000-UsrMgr-uPN" />, close the file without saving and proceed to step 12.
  10. If the line does not match and contains a different value, copy and paste the line to the new C:\Program Files (x86)\RM\RM Unify AD Sync\RM.Networks.IdentityManagement.config file, replacing the default value.
  11. Save and Close the file.
  12. Open the RM Unify AD Sync Configuration Tool.
  13. Register the school and configure AD filters and role mappings as per the settings recorded in step 1.
  14. Wait approximately for two hours to allow complete synchronisation with RM Unify.
  15. Run a resync with delete option to force the deletion of all users AD Sync-provisioned users in RM Unify that do not match a current AD filter.


Other Useful Articles

RM Unify AD Sync Configuration tool halts at "Waiting for database configuration to complete" (TEC3906847)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: ad, sync, ad, adsync, user not deleted, delete user, v4, TEC4884695, deleted objects, container, cn, adsiedit


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page