1 2 Previous Next 22 Replies Latest reply on Aug 17, 2016 6:58 AM by Todd Schnack

    Active directory sync doesn't upload all members

    anna.harkness

      My organization would like to set up some of our sites so that the dashboards are available to everyone in the organization, but without allowing individuals without Active Directory accounts to access our content. Ideally, I would be able to sync the Domain Users group from AD (contains every Active Directory member) on a quarterly basis, and any new members would be added to the group. However, this does not appear to be working: we have over ~6000 users in our AD Domain Users group, but when I attempt to sync this group in Tableau Server, only perhaps 20-60 users will be added to the group.

       

      I am syncing through the browser interface by going to Site > Users tab > Add Users > Import Active Directory Group. Tableau Server identifies the Domain Users group, and says that it successfully uploaded X number of users - in the most recent test, 57 users were uploaded.

       

      I can't figure out any rhyme or reason as to why this group isn't syncing. Any help would be appreciated.

        • 1. Re: Active directory sync doesn't upload all members
          Steven Wiley

          Anna,

           

          See the response I got from Tableau Support on this same issue below...

           

          "Domain Users is a special Active Directory group which does not have any users directly assigned to it (unless manually assigned), but shows all users in various tools. So actually the behavior experienced is expected, since Domain Users group does not have users object in it by default. Thus if the goal is to import all users from Active Directory to the Tableau Server, new group with all users should be created."

           

          Hope this helps,

          Steven

          2 of 2 people found this helpful
          • 2. Re: Active directory sync doesn't upload all members
            Jeff Strauss

            Hi Anna.  We have this same need at Conversant and thus I tinkered with syncing the "domain users" group, however Tableau doesn't know right now how to traverse the AD tree structure and therefore this technique does not work.  In order to get it to work, I turned to creation of a script that runs on a nightly basis and does a direct read of AD using ldapsearch and then there's a step that compares the outputted result with what is already within the Tableau repository and then the ones that don't already exist, the script adds.  It was a project to get this done, however once working, it works quite nice.  The key to getting this to work is having ldapsearch read access to AD.

            1 of 1 people found this helpful
            • 3. Re: Active directory sync doesn't upload all members
              Steven Wiley

              Jeff,

               

              Does your solution require direct editing of the underlying user database to accomplish "syncing" for this group?

              • 4. Re: Active directory sync doesn't upload all members
                Jeff Strauss

                it does not.  Rather, once a determination is made as to which users are missing from the Tableau repository, we use the following command to add them via a CSV file with tabcmd createsiteusers.

                 

                tabcmd createsiteusers "%TABLEAU_ALLUSER_FILE%" --no-complete --role "Interactor" --password %TABLEAU_USER_PASSWORD% --timeout 1800

                • 5. Re: Active directory sync doesn't upload all members
                  Alex Tanchoco

                  Hello Anna and the Tableau Community,

                   

                  I realize this thread is a few months old but since I also had a similar problem and this is the only thing that popped up for my search keywords, I thought sharing my recent experience on this topic and what worked for us can be useful to someone else.

                   

                  We are using the Active Directory synch process and it works, for most part.

                   

                  The problem: We had a Tableau site and the site admin reported that not all members of their specific AD group was showing up.  Only 38 of the 44 members shows up. All 44 shows up as members when viewed and queried with standard Windows tools and commands.

                   

                  The solution: I'll spare you the details of the troubleshooting we went through, but the problem and the solution was simple. It turns out that when an Active Directory user's "PrimaryGroup" attribute is set to other than "Domain Users"  (e.g. CN=Domain Users,CN=Users,DC=yourdomain,DC=com) the query to the directory to find the members excludes them from the list.  I was able to replicate the problem with a VBScript so this is NOT a Tableau issue per se.

                   

                  The users PrimaryGroup must be set to Domain Users group regardless that they are already a member of that group.

                  2 of 2 people found this helpful
                  • 6. Re: Active directory sync doesn't upload all members
                    Toby Erkson

                    Anna,

                    Out of curiosity, why not turn on Guest access?

                    • 7. Re: Active directory sync doesn't upload all members
                      adamstuart0

                      Hi Alex, I'm interested specifically in your problem/resolution as it sounds like something that I am currently experiencing.  What specific attribute in Active Directory would I look at to determine "PrimaryGroup"?  I'm trying to find some difference between the users that are syncing and the users that have suddenly stopped syncing (and were mysteriously removed from the Tableau group).

                      • 8. Re: Active directory sync doesn't upload all members
                        Todd Schnack

                        We are experiencing the exact same issue: not all users in an Active Directory group are syncing and I suspect that there are specific attribute(s) in the Active Directory group and/or in the "non-syncing" users that are causing this. I am not an AD expert, so please "dumb down" your responses if possible (grin):

                        1. The "Background Tasks for Non-Extracts" report shows the manual AD group sync errored, but it doesn't indicate WHY it failed. Do any of the Tableau Server logs contain =details= on why certain users were not synced, skipped, etc.? Or do I need to change a "logging level" setting to force Server to capture those AD sync job details?
                        2. I have found that the counts shown in the job's "Notes" (the "Users Added" count in particular) are inaccurate at times. For example, in one of my test runs, the job's note says 89 users were added to the site, but when I look at the report listing all of the site users, there were 107 users added. Has anyone else had this issue?
                        3. What tool can I use to see a user's "PrimaryGroup" attribute (and other AD attributes)?

                         

                        Thank you!

                        • 9. Re: Active directory sync doesn't upload all members
                          Todd Schnack

                          Hi Alex. Can you advise me on what standard Windows tools and commands you use to query AD group/user attributes? Thank you!

                          • 10. Re: Active directory sync doesn't upload all members
                            Todd Schnack

                            Hi there Jeff. Any chance you could share the script you wrote to solve this?

                            • 11. Re: Active directory sync doesn't upload all members
                              Jeff Strauss

                              good morning.  My script uses bash with ldapsearch running within cygwin to get done what needs to get done.  So unless you have a similar environment setup, my script(s) won't help you that much.

                               

                              Do you have any facility for doing an ldapsearch?  This can be done via powershell if you have the add-on module.  With this, you should be able to see all the internal AD attributes and can search either by group or user.

                               

                              There are a few characteristics to be aware that we have encountered, they may have fixed some of these though.

                              1. If the samaccountname is in multiple OU's, then the user will not be added.  The import gets confused

                              2. If the UPN (userPrincipalName) is missing, then the user will not be added

                              3. If the userAccountControl (status) is not active, then I think these are filtered out from the sync

                              1 of 1 people found this helpful
                              • 12. Re: Active directory sync doesn't upload all members
                                Todd Schnack

                                That list of characteristics is extremely helpful! I am going to forward them to my AD team for investigation. THANK YOU!

                                • 13. Re: Active directory sync doesn't upload all members
                                  Todd Schnack

                                  Hi everyone. A quick update: running the sync manually via tabcmd at a command prompt will let you see details on any errors thrown by the sync process. By running the sync that way, I could see that the 20 users not being synced all had the same error "Can't resolve SID [...] (1332): No mapping between account names and security IDs was done.".

                                   

                                  In case it helps you, here's what I did to sync the group via tabcmd:

                                  1. Open Command Prompt
                                  2. cd /d "D:\Program Files\Tableau\Tableau Server\9.2\bin" [or wherever you installed Tableau Server]
                                  3. tabcmd login -s 'https:[your_tableau_server_url_here]' -u '[username]' -p '[password]' --no-certcheck
                                  4. tabcmd syncgroup "[domain]\[group_name]" --license unlicensed --no-certcheck
                                  5. tabcmd logout
                                  1 2 Previous Next