Skip to main content
Question

How dynamic are Active Directory Policy Limitataions?

  • November 17, 2017
  • 4 replies
  • 19 views
J
Forum|alt.badge.img+5

Have a Self Service Policy that is limited to specific users via an Active Directory group.

Client is complaining that they remove a user from the AD group, but the user can still see the policy in Self Service.

What's the mechanism here? When will the Policy "drop off" for that user? When their Mac checks in? When it Inventories? It's clearly NOT when they launch Self Service!

Would not having APNS be an issue here? (We don't have APNS... Not allowed by "Security".)

EDIT: User was removed from the AD group yesterday. Still sees the Policy in Self Service today.

4 replies

scottb
Forum|alt.badge.img+18
  • scottb
  • Valued Contributor
  • November 17, 2017

Anything done in AD has to propagate through the system. It could be short or long, depending on the size of the company and complexity of the AD infrastructure.
What if you give it time - say to be safe - one hour, then logout and back in to the Mac.
Does it still show?

R
Forum|alt.badge.img+18
  • rderewianko
  • Honored Contributor
  • November 17, 2017

Further to that, if the client has an active session within Self service (not logged out) then it's going to continue to show until they re-login.

J
Forum|alt.badge.img+5
  • jimd
  • Author
  • Contributor
  • November 17, 2017

Sorry... False alarm. The Limitation had been removed from the Policy for testing. It's working better now!

A
Forum|alt.badge.img+18
  • alexjdale
  • Contributor
  • November 17, 2017

In my experience, what matters is what your bound LDAP server thinks at the time the user logs into Self Service. You didn't say the user was logging into Self Service, which makes me wonder if the system is in scope regardless.

Terms & ConditionsCookie settingsAccessibility statement