User profiles marked DELETED for active AD accounts - sharepoint-2016

We have a number of our active AD accounts marked for deletion in the SharePoint 2016 User Profile service, roughly half of our people have had their accounts updated with -DELETED- even though their accounts are still active in Active Directory, running a full synchronisation doesn't seem to resolve this. There aren't any error in the event logs or the ULS logs and there doesn't appear to be any specific connection between the accounts that have been marked in this way.
Why would the User Profile synchronisation process mark an account for deletion when the AD account is still active?

Related

Exclude a specific folder in All Users OU - Google Workspace

I just stated working with a company that uses google workspace. They have a group distribution list that sends email to all users container. However, within all users container, there is also a container for Terminated Employees. Is there a way to set up the distribution list so that it doesn't forward the emails to the Terminated Users Container?
thanks,
Glenn
In this scenario you have two straight forward options so users stop getting those emails:
Remove terminated or suspended users from the group membership. Here you can check how to do it. https://support.google.com/a/answer/10284003
If for some reason you don't want to remove the user from that distribution list, you can disable the user from getting those group messages.
go to groups.google.com and choose the group in question.
Go to members, you will see all users in that group and under the "subscription" column choose "No email". That will stop the user from getting those group inbound messages.
For the second option you need to have the group "Owner" role otherwise you will have to login into the terminated user session to make these changes.

how to unlock accounts that meet certain conditions

I am trying to unlock several accounts in Active Directory through PowerShell, but I can't figure it out how to link every condition into the query
The conditions are:
-The account should be enabled
-It shouldn't be "memberof" some groups (whose I'm not able to unlock, like Administrators)
I don't have full control over accounts, I'm not able to unlock some of them, due to my privileges, so I'll be very helpful if can you help me to know or simple discard the accounts that I'm not able to unlock
I've just tried this
Search-ADAccount -LockedOut | Unlock-ADAccount
(Very poor attempt, i know, I'm very new on this technology)
But gives me an error because of my account's privileges
It says: access rights are insufficient to perform the action.
The error is the same for different CN accounts
But gives me errors because of my account's privileges
That 's' in "errors" is key. If you're getting more than one error, that means that errors don't stop it from continuing on to the next account. That is, actually, how PowerShell works by default.
So what you are doing is already working the way you want it to: it is unlocking all the accounts that you have access to.
Of course, this is just a band-aid on the real problem. It won't eliminate calls for the problem accounts, and it undermines the added security you get by locking accounts in the first place.
I'm able to unlock some accounts, but when I run the command
Unlock-ADAccount, I think it try to unlock accounts like
administrator, some disabled acc, for which I don't have permission to
modify, but if I run that command on an individual "regular" account,
it gets unlocked
This due to the blocking of inheritance of permissions applied to domain Admins accounts & due to Security Descriptor propagator (SDPROP)....
It's not recommended, as it's a critical mechanism in my opinion, but you might :
create a specific delegation for a group
and append this group to the Access Control Entry (ACE) of this kind of template folder for admin permissions: 'CN=AdminSDHolder,CN=System,DC=example,DC=com' (with the help of LDP.exe)

What is the Google VFE accounts?

What does Google accounts starting with vfe.XXX.* mean? Are they suspended accounts in the domain?
Those accounts were moved from the legacy Postini environment. They should all be suspended accounts assigned to the "VFE" license type (Vault Former Employee). Those accounts contain all of your Postini message archive data.

Office 365 - Move a maillbox to a different user

I am trying to move a mailbox from 1 user to another in Office 365.
We have Dirsync set up to keep everything synchronised.
The reason for this is that we occasionally get corrupt AD accounts so we have to set up a new account and copy over the data (this doesn't happen a lot, but it does happen).
I have checked through all the online help from Microsoft and other sources but just can't find a way that works.
I have tried deleting the mailbox, then restoring it:
One guide said to use the GUID's to transfer the account, but a deleted account doesn't have a GUID.
Another guide says to use Restore-MsolUser - but you can't specify a new AD account.
So in a nutshell all I want to achieve is this:
Local AD user "A" has the email "A#xyz.com" needs to change to
Local AD user "B" has the email "A#xyz.com"
At the moment we have to keep both the old and the new AD accounts active to maintain the email, but if the user changes their password on the new account it obviously doesn't sync with their email account as it's on their old AD account.
I have been trawling through internet guides for weeks but to no avail. Any help would be much appreciated.
Thanks
John

Insertion/Deletion of account at an institution - AggCat API

1: If some account is actually deleted at an institution but is not deleted in AggCat service. What happens when Intuit pulls data from institutions to update accounts' info? The deleted account is not updated?
2: If some account is added at an institution, how can we discover the newly added account? It seems the only feasible way is to remove all accounts of some client at that institution and have the client register accounts again. Is it correct?
Yes, The deleted account doesn't get updated. If the account doesn't exist in FI, then that account should be categorized as 'Other Account'.
You can call discoverAndAddAccounts for that FI, and call UpdateInstitution login with refresh flag set to true. This will add refreshed data to the user's profile.
Ref - https://developer.intuit.com/docs/0020_customeraccountdata/customer_account_data_api/0020_api_documentation/0020_discoverandaddaccounts