Help

How dynamic are Active Directory Policy Limitataions?

jimd
New Contributor II

Posted on ‎11-17-2017 08:39 AM

Have a Self Service Policy that is limited to specific users via an Active Directory group.

Client is complaining that they remove a user from the AD group, but the user can still see the policy in Self Service.

What's the mechanism here? When will the Policy "drop off" for that user? When their Mac checks in? When it Inventories? It's clearly NOT when they launch Self Service!

Would not having APNS be an issue here? (We don't have APNS... Not allowed by "Security".)

EDIT: User was removed from the AD group yesterday. Still sees the Policy in Self Service today.

0 Kudos
Reply
4 REPLIES 4

scottb
Honored Contributor

Posted on ‎11-17-2017 08:45 AM

Anything done in AD has to propagate through the system. It could be short or long, depending on the size of the company and complexity of the AD infrastructure.
What if you give it time - say to be safe - one hour, then logout and back in to the Mac.
Does it still show?

0 Kudos
Reply

rderewianko
Valued Contributor II

Posted on ‎11-17-2017 08:59 AM

Further to that, if the client has an active session within Self service (not logged out) then it's going to continue to show until they re-login.

0 Kudos
Reply

jimd
New Contributor II

Posted on ‎11-17-2017 09:55 AM

Sorry... False alarm. The Limitation had been removed from the Policy for testing. It's working better now!

0 Kudos
Reply

alexjdale
Valued Contributor III

Posted on ‎11-17-2017 09:57 AM

In my experience, what matters is what your bound LDAP server thinks at the time the user logs into Self Service. You didn't say the user was logging into Self Service, which makes me wonder if the system is in scope regardless.

0 Kudos
Reply