cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you get an answer that solved your problem? Please mark it as an Accepted Solution so others with the same problem can find the answer easily. X

Windchill AD sync causes profile corruption when switching licenses

WFD
6-Contributor
6-Contributor
‎Sep 23, 2024 06:36 AM
‎Sep 23, 2024 06:36 AM

Windchill AD sync causes profile corruption when switching licenses

Version: Windchill 13.0

 

Use Case: - User is in AD license group X1234 which is part of the Advance license in Windchill. User has advanced license profile in participant administration. - User is removed from group X1234 and put in group X4321 which is part of the Base license in Windchill. - After 5-20 minutes user is part of the new license group in Windchill but his user profile remains Advanced - Clearing the user from the partipant cache (or restarting Windchill) changes the profile to the expected Base profile.


Description:

We have Active Directory synchronization and the license groups in AD are linked to the license groups in Windchill. Now when I move a user from one AD license group (e.g. Advanced) to another (e.g. Base) the license group gets reflected after a while in the participant administration (when user connects again) BUT the license profile of the user does not update, hence causing very strange UI behavior (e.g. search tab disappearing, menu items disappearing). It can be easily fixed by clearing the participant cache for that specific user or restarting Windchill, but both are not automated nor desired because we have to wait till an incident is reported before we can fix it. 

 

This is happening in Windchill 13 but also in Windchill 12 BTW.

 

We have the wt.org.userSyncTime updated to 12 hours instead of default 7 days and we have the wt.inf.team.userScheduledRefreshGroups and wt.inf.team.refreshGroupsDailyQueueTime set but also when we disable this it makes no difference. And it happens within 30 minutes the AD value is changed anyway. 

Waiting a day doesn't fix the user either.

 

Any idea's why this is happening and what we could do about this? Anybody else having this issue?

Labels:
0 Kudos
Notify Moderator
6 REPLIES 6
avillanueva
22-Sapphire II
22-Sapphire II
(To:WFD)
‎Sep 23, 2024 08:12 AM
‎Sep 23, 2024 08:12 AM

This article echoes what you are seeing: https://www.ptc.com/en/support/article/CS394014?source=search

Not much here other what you already know. The only thing it says is best practices it to only manage users on the AD side and to leave the group relationships on the Windchill side. I would think this is for the reason you are saying. I am sure that others who manage groups in AD will chime in with their experiences. Seems like the only way to do this is to increase the sync time to a very short time or handle it manually. Depends on how often this data is changing. If infrequent, add it to the task list when making these group changes.

0 Kudos
Notify Moderator
WFD
6-Contributor
6-Contributor
(To:avillanueva)
‎Sep 23, 2024 09:11 AM
‎Sep 23, 2024 09:11 AM

Hmm, well, the problem is not actually that the groups are not synching, that works fine (unlike what the article says, so I guess we are lucky there), but what does not work is that the associated license profiles are not updated according to the new license group... 

 

but if PTC recommends only to synchronize users and not groups from AD why do they offer the option of synchronizing groups? We have automation for all our AD groups... having to revert back to manually maintaining users in Windchill group would be a real pain... no way to automate this right?

0 Kudos
Notify Moderator
HelesicPetr
22-Sapphire I
22-Sapphire I
(To:WFD)
‎Sep 24, 2024 03:15 AM
‎Sep 24, 2024 03:15 AM

Hi @WFD 

You can just write own custom function that could do what you do manually to repair the profile synch.. 

PetrH

AVENG
0 Kudos
Notify Moderator
WFD
6-Contributor
6-Contributor
(To:HelesicPetr)
‎Sep 24, 2024 09:54 AM
‎Sep 24, 2024 09:54 AM

Well maybe, but how would I know which user to clear the cache of? 

I actually tried the option to set the wt.principal.cache.timeToLive and that actually speeds up the visibility of the problem... so the user is updated to the new AD license group quickly but it doesn't solve the profile not synching with that new license. So it seems it's a secondary effect of the clear participant cache that the profile get's fixed but setting a timeToLive for the cache doesn't seem to have the same effect.

0 Kudos
Notify Moderator
Catalina
Moderator
Moderator
(To:WFD)
‎Sep 27, 2024 05:23 AM
‎Sep 27, 2024 05:23 AM

Hi @WFD,


I wanted to see if you got the help you needed.


If so, please mark the appropriate reply as the Accepted Solution. It will help other members who may have the same question.
Please note that industry experts also review the replies and may eventually accept one of them as solution on your behalf.


Of course, if you have more to share on your issue, please pursue the conversation.

Thanks,

Catalina
PTC Community Moderator
0 Kudos
Notify Moderator
HelesicPetr
22-Sapphire I
22-Sapphire I
(To:WFD)
‎Sep 27, 2024 05:30 AM
‎Sep 27, 2024 05:30 AM

Hi @WFD 

How do you know the user with the issue now? 

PetrH

AVENG
0 Kudos
Notify Moderator
Announcements

Contact Community Management
Top Tags