search

lithnet / googleapps-managementagent

Google Workspace Management Agent for MIM 2016
MIT License
12 stars 4 forks source link

Unable to move a user between two existing OUs #23

Closed NeedsCoffee closed 6 years ago

NeedsCoffee commented 6 years ago

I'm using this MA (1.1.6520.18856) with MIM 2016 SP1 (4.4.1749.0) and am trying to move users between OUs. I can provision new users successfully without issue into an OU called "/MIMManagedAccounts/NoGmail", however if I have a sync-rule that is triggered which changes the OrgUnitPath value for a user to another OU that exists, in this case "/MIMManagedAccounts/MigrationState_Z", MIM attempts to export the update but the account does not move and remains in the original OU. A full import sees the failed export and reports that as an error.

I have tried various things, like removing the leading "/" (producing a rule violation) or adding a trailing "/" (no change) to the path value, I've also tried different text combination in case it was the "_" that was the issue, and removing that doesn't help either. In fact I don't seem to be able to get an account to ever move OU. If I move an account manually and then do a full import the change is reported correctly.

Does this MA support changing the OU? We can do this with GAM of course and I have a script running elsewhere to do that for a different project, but I'd much rather do this with this excellent MA and MIM if I can.

My MA is running in a seperate process I have a "work" schema addition for "Organizations" and "Email" Only "user" object types are imported via this particularl MA I have the following attributes selected in the MA: attributes

Here's the export xml:

<delta operation="update" dn="zz99345@xxxxxxxxxxxx">
 <anchor encoding="base64">LAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAAAA</anchor>
 <primary-objectclass>user</primary-objectclass>
 <objectclass>
  <oc-value>user</oc-value>
 </objectclass>
 <attr name="orgUnitPath" operation="update" type="string" multivalued="false">
  <value operation="add">/MIMManagedAccounts/MigrationState_Z</value>
  <value operation="delete">/MIMManagedAccounts/NoGmail</value>
 </attr>
</delta>

Here's the full import xml:

<delta operation="add" dn="zz99345@xxxxxxxxxxxx">
 <anchor encoding="base64">LAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAAAA</anchor>
 <primary-objectclass>user</primary-objectclass>
 <objectclass>
  <oc-value>user</oc-value>
 </objectclass>
 <attr name="creationTime" type="string" multivalued="false">
  <value>2018-03-13T15:47:43.000</value>
 </attr>
 <attr name="id" type="string" multivalued="false">
  <value>115061404213916952048</value>
 </attr>
 <attr name="includeInGlobalAddressList" type="boolean" multivalued="false">
  <value>false</value>
 </attr>
 <attr name="isMailboxSetup" type="boolean" multivalued="false">
  <value>false</value>
 </attr>
 <attr name="name_familyName" type="string" multivalued="false">
  <value>Zoomer</value>
 </attr>
 <attr name="name_givenName" type="string" multivalued="false">
  <value>Zoe</value>
 </attr>
 <attr name="nonEditableAliases" type="string" multivalued="true">
  <value>zz99345@yyyyyyyyyyyy</value>
  <value>zz99345@zzzzzzzzzzzz</value>
 </attr>
 <attr name="orgUnitPath" type="string" multivalued="false">
  <value>/MIMManagedAccounts/NoGmail</value>
 </attr>
 <attr name="primaryEmail" type="string" multivalued="false">
  <value>zz99345@xxxxxxxxxxxx</value>
 </attr>
 <attr name="suspended" type="boolean" multivalued="false">
  <value>false</value>
 </attr>
</delta>

A screenshot of the pending export: 1_pending_export

A screenshot of the finished export: 2_finished_export

A screenshot of the error: 3_exported-change-not-reimported

The CS object after a full import: 3_after_full_import

Steps to reproduce:

  1. create a new OU in apps domain
  2. flow a constant to OrgUnitPath in MA corresponding to the full path of the new OU
  3. full sync on MA
  4. export
  5. full import Results: Change appears to export, but does not happen in Google and an exported-change-not-reimported error is produced after the confirming import step
ryannewington commented 6 years ago

Ok, this is very strange. It is certainly supported to move users between OUs, and my test cases for doing this are working fine.

I'm going to need to see the conversation between the agent and Google to help understand what is going on here.

Are you able to perform the following additional steps?

  1. Install Fiddler
  2. Open Fiddler and Selection Options->HTTPS->Decrypt HTTPS traffic
  3. Open the miiserver.exe.config file and made the following changes a. Add a new <section> to the existing <sections> for the lithnet-google-ma 
    <configSections>
--- other sections ---
<section name="lithnet-google-ma" type="Lithnet.GoogleApps.MA.MAConfigurationSection, Lithnet.GoogleApps.MA" />
</configSections>

    b. Add the following line after <configSections>

    <lithnet-google-ma http-debug-enabled="true"/>

    c. Add the following after that

<system.net>  
    <defaultProxy>  
      <proxy  
        usesystemdefault="true"  
        proxyaddress="http://127.0.0.1:8888"  
        bypassonlocal="true"  
      />  
    </defaultProxy>  
  </system.net>

This will force the MA traffic to go through fiddler, we will be able to see the API calls in the background.

Make sure the MA is running in-process, start fiddler, and kick off the export. Stop fiddler and send the trace to ryan@lithnet.io. It would also be helpful to have the log files from the MA that were generated for this export

Ryan

NeedsCoffee commented 6 years ago

Thanks Ryan. Awesome, OK I've emailed you the files you've asked for.

NeedsCoffee commented 6 years ago

Pleased to say i self-resolved this one. Nothing to do with your code (of course). Exactly what it was I can't say. I built a whole new system and went back to my old one to copy my setup, and after a while it suddenly started working. Thanks for all your kind help.