Community Tip - Stay updated on what is happening on the PTC Community by subscribing to PTC Community Announcements. X
Version: Windchill 13.0
Use Case: - User is in AD license group X1234 which is part of the Advance license in Windchill. User has advanced license profile in participant administration. - User is removed from group X1234 and put in group X4321 which is part of the Base license in Windchill. - After 5-20 minutes user is part of the new license group in Windchill but his user profile remains Advanced - Clearing the user from the partipant cache (or restarting Windchill) changes the profile to the expected Base profile.
Description:
We have Active Directory synchronization and the license groups in AD are linked to the license groups in Windchill. Now when I move a user from one AD license group (e.g. Advanced) to another (e.g. Base) the license group gets reflected after a while in the participant administration (when user connects again) BUT the license profile of the user does not update, hence causing very strange UI behavior (e.g. search tab disappearing, menu items disappearing). It can be easily fixed by clearing the participant cache for that specific user or restarting Windchill, but both are not automated nor desired because we have to wait till an incident is reported before we can fix it.
This is happening in Windchill 13 but also in Windchill 12 BTW.
We have the wt.org.userSyncTime updated to 12 hours instead of default 7 days and we have the wt.inf.team.userScheduledRefreshGroups and wt.inf.team.refreshGroupsDailyQueueTime set but also when we disable this it makes no difference. And it happens within 30 minutes the AD value is changed anyway.
Waiting a day doesn't fix the user either.
Any idea's why this is happening and what we could do about this? Anybody else having this issue?
This article echoes what you are seeing: https://www.ptc.com/en/support/article/CS394014?source=search
Not much here other what you already know. The only thing it says is best practices it to only manage users on the AD side and to leave the group relationships on the Windchill side. I would think this is for the reason you are saying. I am sure that others who manage groups in AD will chime in with their experiences. Seems like the only way to do this is to increase the sync time to a very short time or handle it manually. Depends on how often this data is changing. If infrequent, add it to the task list when making these group changes.
Hmm, well, the problem is not actually that the groups are not synching, that works fine (unlike what the article says, so I guess we are lucky there), but what does not work is that the associated license profiles are not updated according to the new license group...
but if PTC recommends only to synchronize users and not groups from AD why do they offer the option of synchronizing groups? We have automation for all our AD groups... having to revert back to manually maintaining users in Windchill group would be a real pain... no way to automate this right?
Hi @WFD
You can just write own custom function that could do what you do manually to repair the profile synch..
PetrH
Well maybe, but how would I know which user to clear the cache of?
I actually tried the option to set the wt.principal.cache.timeToLive and that actually speeds up the visibility of the problem... so the user is updated to the new AD license group quickly but it doesn't solve the profile not synching with that new license. So it seems it's a secondary effect of the clear participant cache that the profile get's fixed but setting a timeToLive for the cache doesn't seem to have the same effect.
Hi @WFD,
I wanted to see if you got the help you needed.
If so, please mark the appropriate reply as the Accepted Solution. It will help other members who may have the same question.
Please note that industry experts also review the replies and may eventually accept one of them as solution on your behalf.
Of course, if you have more to share on your issue, please pursue the conversation.
Thanks,
Hi Catalina, unfortunately upto now not any solution for this issue (except for manually doing a clear cache for the user or restarting the windchill server)... so even setting the cache to timeout after 30 minutes does not do the same thing as actually manually clearing the user from the cache.
Hi PetrH,
I'm not sure I understand your question. I'm the user having the issue. I can reproduce it very easily on all our enviroments.
Hi @WFD
I just ask how do you find the user with the issue now.
So You have to know a way how to find the user with this issue and write a code that can do it automatically . .
PetrH.
Ah yes, now I understand your question. I can see the problem when I examine the user in the participant administration and I see a mismatch between de license group the user is in and the license profile the user is in... unfortunately I have no idea how to find that use using a filter or api call... so yeah that would be nice to be able to find. Alternatively I've also considered to always clear a user from the cache after a license change has been requested... but that is creating a customization as well so not really a wanted option either.
Hi @WFD
I guess that the "user friendly" solution will be always customization.
You have already known the workaround> find the user, clear them from the cache.
PetrH
If you view the affected user's details from Participant Administration and then choose 'remove from cache', Windchill will recalculate their license profile membership. This is assuming you have already performed a 'recalculate group membership' on all affected groups first.