0 votes

I've noticed that sometimes when users are added to groups, the timestamp of the user object is not updated. If you execute LDAP queries against the modifytimestamp field, this creates inaccurate results.

Here is an example:

Notice the "When Changed" attribute of the user object (after the adding the user to the group) (scroll to right to see entire image):

Here is the activity log for this user (scroll to right to see entire image):

Here is the group membership of the user (as seen in the web interface) (scroll to right to see entire image):

by (950 points)

1 Answer

0 votes
by (216k points)

Hello,

When you add a user to a group, the When Changed property should not be updated. When you add a user to a group, you don't modify the user. Instead, you modify the group by adding the user's DN to the Member property of the group.

The Member Of property of the user is simply a backlink to the Member property of all the groups the user is a member of.

0

So - if you edited a user, and then added them to a group it would update this timestamp. Alternatively, if you find the group first and then add the user to that group, the timestamp would not be updated on the user object. Is this correct?

Thanks!

0

I found my answer. I hope this can help others with similar confusion....

We do a ton of LDAP lookups here and this has always been a question.

"This attribute is not stored—it is a computed back-link attribute." http://msdn.microsoft.com/en-us/library/ms677943.aspx

The interesting scenario is that if you add a user to 50 new groups, then ask if the user has been "updated" via the modifytimestamp attribute of the user, you get "no" as the answer. To me, the answer is yes, the user has been updated, but I guess that is just me....

If you ignore the modifytimestamp of the user and just ask for the groups (memberof), you do get the correct answer. So, now I know that you cannot depend on the modifytimestamp of the user attribute to detect if the user's group membership has been altered.

0

Hello,

That's, actually, what we tried to say in our previous post :)

When you add a user to a group, the group is modified, not the user.

Related questions

0 votes
1 answer

Hello, I'm using property pattern for few things, and i just noticed that all my property pattern are applied on user creation (i don't want it to) Is there a way to "disable" property pattern on user creation ?

asked May 6, 2016 by Alexandre (460 points)
0 votes
1 answer

Hi team, I have a few questions about approval flows How can I send approval to individual user (stored in an custom attribute)? How can I do actions based on request is ... -> set accountExpire +6 Months if denied -> do nothing and account will expire

asked Mar 13 by wintec01 (1.2k points)
0 votes
1 answer

Hello, We have scripts that rely on "is inactive"condition to process.I noticed that when editing a user, the "Last Logon" value is the one in the attribute " ... because there is a several days difference between both attributes. is that correct? Thanks.

asked Feb 12, 2019 by tentaal (1.1k points)
0 votes
1 answer

Hallo Everyone I've seen the Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights: https://www.adaxes.com/questions/ ... . Example: User: Peter.Steinmann Identity: Which Mailboxes AccessRights: FullAccess Kind regards,

asked Jul 6, 2022 by Sandberg94 (340 points)
0 votes
1 answer

I am experimenting with the new REST api. From our HR system, we will be receiving a user's manager represented as their email address. We will pass that (manager email ... an email address for the manager of a new hire? Any advice and details appreciated.

asked Mar 5, 2021 by techg (320 points)
3,383 questions
3,082 answers
7,832 comments
545,482 users