This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
JaredPayne
Beginner
Beginner
‎2017-07-19 07:55 PM

How do I remove a single unresolvable user?

Jump to solution

When I go to cleanup the unresolvable users through the RSA web console it brings up 5 users I want to get rid of, and another 6 that are legit users I do not want to get rid of. However the cleanup tool's only option is to delete all of it or nothing.

 

Is there a way to delete just one user from the database if I have the user id (aka. loginuid)?

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2017-07-19 09:13 PM

Jump to solution

One 'trick' we use in support is to modify the User search filter to exclude the UserID you are trying to clean up, but can't because of some mixup or cross reference in LDAP.

 

First You’ll need to run a Cleanup against the external Identity source (Active Directory), which the you will have to do from the Security console.

 

To clean up unresolvable users:
1. Click Setup --> Identity Sources --> Clean Up Unresolvable Users.
2. Select the name of the identity source that you want to clean up, or select All to clean up unresolvable users in all identity sources.
3. Click Next.
4. In the Preview pane, review the list of users. Click the column names to sort the list.
    Note: If the list is empty, there are no unresolvable users.
5. Click Clean Up Now.

 

If this Cleanup does not fix your problem, then we will need to modify the User Search criteria for the Active Directory Identity Source that specific UserID is in, to block his specific UserID.  Then we’ll run the Cleanup, remove all old remnants of the Identity, remove the filter and you’ll be able to assign him his token.

 

You need to Navigate to the Identity Source in the Operations console, and add a filter for your LDAP Map to block the samAccountName for your specific UserID from entering the RSA database through the external Identity Source.  I’ll use the name Jay.Guillette in this example, but you will use your specific UserID.

 OC-IDsource_Map_SearchFilter_block1user.png

Basically you change the User Map filter from

(&(objectClass=User)(objectcategory=person))

To

(&(objectClass=User)(objectcategory=person)(!(samAccountName=JGuillette)))

This goes in the External Identity Source Map in the Operations Console, under Users Filter.

 

So the above screen shot example is for a samAccountName of JGuillette, but if your AD samAccountName is different modify this accordingly

 

Unfortunately you have to do this one UserID at a time.

View solution in original post

Reply
2 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2017-07-19 09:13 PM

Jump to solution

One 'trick' we use in support is to modify the User search filter to exclude the UserID you are trying to clean up, but can't because of some mixup or cross reference in LDAP.

 

First You’ll need to run a Cleanup against the external Identity source (Active Directory), which the you will have to do from the Security console.

 

To clean up unresolvable users:
1. Click Setup --> Identity Sources --> Clean Up Unresolvable Users.
2. Select the name of the identity source that you want to clean up, or select All to clean up unresolvable users in all identity sources.
3. Click Next.
4. In the Preview pane, review the list of users. Click the column names to sort the list.
    Note: If the list is empty, there are no unresolvable users.
5. Click Clean Up Now.

 

If this Cleanup does not fix your problem, then we will need to modify the User Search criteria for the Active Directory Identity Source that specific UserID is in, to block his specific UserID.  Then we’ll run the Cleanup, remove all old remnants of the Identity, remove the filter and you’ll be able to assign him his token.

 

You need to Navigate to the Identity Source in the Operations console, and add a filter for your LDAP Map to block the samAccountName for your specific UserID from entering the RSA database through the external Identity Source.  I’ll use the name Jay.Guillette in this example, but you will use your specific UserID.

 OC-IDsource_Map_SearchFilter_block1user.png

Basically you change the User Map filter from

(&(objectClass=User)(objectcategory=person))

To

(&(objectClass=User)(objectcategory=person)(!(samAccountName=JGuillette)))

This goes in the External Identity Source Map in the Operations Console, under Users Filter.

 

So the above screen shot example is for a samAccountName of JGuillette, but if your AD samAccountName is different modify this accordingly

 

Unfortunately you have to do this one UserID at a time.

Reply
EdwardDavis
Employee
Employee
‎2017-07-20 08:15 AM

Jump to solution

Hello,

 

No it is not possible to clean up one item on that list in the Security Console.

 

You need to make the other users resolvable. That means they need to show up on the identity source connection with the same GUID we calculated the first time. Simply adding the same useid to AD won't work as new users will get a different GUID. The original users need to be found to get them off the list.

 

Or else they all will get cleaned off. 

 

You might be able to adjust the search filter in the ops console to force someone into the cleanup list, but 

that won't help change what appears in the list, unless expanding the search filter increases the search scope and

the missing users pop back in.

 

 

Now, I cannot guess why you have missing users showing up in the unresolvable pile, you do not want to clean off...because most people want to clean that entire list.. But if somehow you know why they are there, and this is a temporary intentional thing you are doing to make the users unmanageable in the Security Console, but might want them come back later and have the tokens assigned back to them....

 

You could: copy the user and token and get them off the system temporarily, then import them when you want them back

 

a) adjust the system and make the unresolvable users come back to security console as active users, and off that list

b) export users and tokens and get a copy of the those userids and tokens they have assigned

c) go back and make the system put them back as unresolvable

d) clean up the entire list

 

e) then when you do want the users you cleaned off, back again...adjust the system to make them appear in security console user list, as new users with nothing assigned....and then import users and tokens and ...those users will have their tokens back.

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.