This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

WHD clients marked as inactive after manual AD sync

Hi all,

We have been having an issue with Web Help Desk in which our clients are being marked as Inactive despite them having AD accounts which are enabled. Since we are a school, we update AD each year to account for the change in students' enrollment status which may include having their AD accounts disabled, but not deleting them. It used to work for us where the auto-synchronization would manage this on its own. However, we are now hearing that clients are unable to put in tickets due to their WHD accounts being inactive. I am able to manually re-activate their WHD accounts just for the sake of moving them forward with ticket creation, but this means our client records aren't as they should be. Below is what I know and have done so far:

  • We do not appear to be having any issues with WHD contacting our LDAP server
  • The settings under Connection Basics and Attribute Mappings appear to be correct (I can post screenshots if this will be helpful)
  • This issue doesn't necessarily seem to affect all of our clients and there is no clear pattern
  • I made a slight correction to the search filter as it previously had some extra spaces inserted, but it did not have any effect
  • Contacted WHD support who remoted in and made some changes which were primarily related to RAM allocation for JVM (this didn't seem to help at all other than with performance)

I took one client and used it as a test to see what would happen when I made various changes. Initially, it was marked as Inactive in WHD which meant I was unable to search for the client by last name, but if I checked Search LDAP, it would show the client record. As a test, I disabled the relevant AD account, performed a manual sync, and I was then unable to search for it even with Search LDAP checked (this is what I expected to see). When I manually activate the client and perform a manual sync (with the AD account enabled), it remains set to Active. This is good, but I have 800+ current clients to verify along with a larger number of clients that should stay inactive (employees that have resigned, students not returning, etc.)

Essentially, I would like for WHD to sync with AD such that accounts which are enabled in AD are marked as Active in WHD and those that are disabled in AD are marked as Inactive in WHD. Any thoughts on where to go next?

Thanks!
Steve

  • A while back I created a support case with the same issue; when AD accounts are re-enabled, the WHD account remains set to 'inactive'.  This is the response I received from support:

    With regard to the problem you reported, the behavior is by design. Unfortunately, this cannot be changed due to constraints in the Lightweight Directory Access Protocol (LDAP) standard.

    So, we must reactivate WHD accounts manually if/when the AD account is re-enabled.

    Regarding accounts becoming deactivated, is it possible these accounts exist in or were moved into an OU that is not being sync'd with WHD? IIRC, moving accounts into an OU that is not sync'd via LDAP will make them inactive, as well.

  • Hi Justin,

    I really appreciate the response as this is the clarification I needed. I actually was not certain that it ever functioned in a way such that it would toggle active/inactive for WHD client objects based on the active status for an AD account. It seems as though I should have mentioned this! Our previous sysadmin had set this up which is why we were in the dark. I'm OK with manually re-activating the accounts in WHD as I can likely do this as a batch process and it only needs to be done once a year.

    As for your question, the DN is set for OU All Users (see below) which is where all of our users are contained so there's really no chance of AD users being moved to an OU elsewhere.

    Thanks again!
    Steve

  • I'm not sure what the constraints are.  If user is in sync and currently inactive reactivate.

    We ran into an issue where all 15,000+ users were marked inactive. We thought we were going to have to manually activate them all 100 at a time. It turns out you can just ran a simple SQL command on the WHD clients table that updates the inactive field for each user from 1 to 0. Now all users are active again. We re-ran the sync and all was good.

  • Or you could have selected all clients on all pages of 100 by selecting with a SHIFT click and the Tick goes green rather than blue, useful on Ticket list as well!

  • Well sure.. we could have done it that way too... In all seriousness, I had no idea we could do that... The only things we found on this topic basically said there was nothing you could do. The SQL command was easy enough, but thanks for sharing this.

  • Good afternoon Steve,

    We are having the same issues after we updated to the new version of the Help desk we are running ver 12.5.0 we are hosted has anyone found a fix for this issue?

    Thanks,

    Myra

  • Hi Myra,

    Inactive client accounts when using an LDAP connection is not a bug. Instead, this problem is the result of a connection timeout between Web Help Desk and the Directory Service.

    Connection Timeout (Setup > Clients > AD/LDAP Connections > Connection Basics > Advanced)

    Default: 20 seconds

    In a hosted environment, you may consider configuring the LDAP connection to synchronize manually when new employees are added. This step could be added to your new hire process.

    To resolve the immediate problem, use the Advanced Search to find the inactive client accounts.

    Advanced Search (Clients > Advanced Search)

    Clients matching ALL of these conditions:
    Inactive = Yes

    Then use the Bulk Action tool to activate the inactive client accounts.


    Regards,

    Isaiah Carriere

    Web Help Desk Consultant
    Adeptec: SolarWinds Training and Professional Services

    LinkedIN: Adeptec

    ○ Facebook: Adeptec

    ○ Twitter: @Adeptec