0 votes

I've noticed that sometimes when users are added to groups, the timestamp of the user object is not updated. If you execute LDAP queries against the modifytimestamp field, this creates inaccurate results.

Here is an example:

Notice the "When Changed" attribute of the user object (after the adding the user to the group) (scroll to right to see entire image):

Here is the activity log for this user (scroll to right to see entire image):

Here is the group membership of the user (as seen in the web interface) (scroll to right to see entire image):

by (950 points)

1 Answer

0 votes
by (215k points)

Hello,

When you add a user to a group, the When Changed property should not be updated. When you add a user to a group, you don't modify the user. Instead, you modify the group by adding the user's DN to the Member property of the group.

The Member Of property of the user is simply a backlink to the Member property of all the groups the user is a member of.

0

So - if you edited a user, and then added them to a group it would update this timestamp. Alternatively, if you find the group first and then add the user to that group, the timestamp would not be updated on the user object. Is this correct?

Thanks!

0

I found my answer. I hope this can help others with similar confusion....

We do a ton of LDAP lookups here and this has always been a question.

"This attribute is not stored—it is a computed back-link attribute." http://msdn.microsoft.com/en-us/library/ms677943.aspx

The interesting scenario is that if you add a user to 50 new groups, then ask if the user has been "updated" via the modifytimestamp attribute of the user, you get "no" as the answer. To me, the answer is yes, the user has been updated, but I guess that is just me....

If you ignore the modifytimestamp of the user and just ask for the groups (memberof), you do get the correct answer. So, now I know that you cannot depend on the modifytimestamp of the user attribute to detect if the user's group membership has been altered.

0

Hello,

That's, actually, what we tried to say in our previous post :)

When you add a user to a group, the group is modified, not the user.

Related questions

0 votes
0 answers

Hello, I'm using property pattern for few things, and i just noticed that all my property pattern are applied on user creation (i don't want it to) Is there a way to "disable" property pattern on user creation ?

asked May 6, 2016 by Alexandre (460 points)
0 votes
1 answer

Hello, We have scripts that rely on "is inactive"condition to process.I noticed that when editing a user, the "Last Logon" value is the one in the attribute " ... because there is a several days difference between both attributes. is that correct? Thanks.

asked Feb 12, 2019 by tentaal (1.1k points)
0 votes
1 answer

I am experimenting with the new REST api. From our HR system, we will be receiving a user's manager represented as their email address. We will pass that (manager email ... an email address for the manager of a new hire? Any advice and details appreciated.

asked Mar 5, 2021 by techg (240 points)
0 votes
1 answer

Is it possible to convert a 365 mailbox to a shared mailbox as part of the user deprovision process? The user is synced to our local AD. I found with the current process the ... getting deleted in 365. It would be nice to set the mailbox to be a shared mailbox

asked Oct 30, 2018 by john.morrow (250 points)
0 votes
1 answer

Hello Everyone, I have a few questions surrounding your bulk user creation offering via a CSV found here http://www.adaxes.com/tutorials_ActiveD ... SVFile.htm Will our "After creating ... lot of use out of this feature if it's added in a future enhancement.

asked Jul 26, 2017 by Ben.Burrell (490 points)
2,740 questions
2,474 answers
6,475 comments
1,373,530 users