Synchronize Deletion from AD to OID
Steps to be performed for the use case when the entry is deleted from AD, the corresponding entry
in OID gets deleted using DIP
Resolution:
1. isDeleted=TRUE should be added to the searchfilter.
For example, you may be using:
searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer))))
However, Deleted entries will fail. To correct this, modify the
filter as follows:
searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer)))(isDeleted=TRUE))
login EM -> Farm -> Identity and Access -> right click
on DIP -> select Administration: Synchronization profile from popup menu
-> select the profile you are using -> click Edit -> click Filtering
tab
2. Ensure the user that DIP is binding to AD has permissions
to read the Deleted Objects container: cn=Deleted Objects,<domain name>
• For the DirSync approach:
The AD user must belong to the Domain Administrators group, cn=Administrators, cn=builtins,dc=domain,dc=com, or be explicitly granted permissions to
replicate directory changes.
The AD user must belong to the Domain Administrators group, cn=Administrators, cn=builtins,dc=domain,dc=com, or be explicitly granted permissions to
replicate directory changes.
• For the USNChanged approach:
The AD user must have “List Content” and “Read Properties” permissions to the cn=Deleted Objects container.
The AD user must have “List Content” and “Read Properties” permissions to the cn=Deleted Objects container.
