cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

Windchill - Disconnected Principal

MarcHendrickson
1-Newbie

Windchill - Disconnected Principal

Over the last year we have been working on re-structuring our Corp LDAP, e.g. DN names, groups, etc.. In addition when individual are nolonger with the organization and their LDAP account is disabled or deleted from the Corp LDAP. We have seen and defined specific situaltion all requiring different resolution process by either correcting with SQL scripts or using the admin utilities maintenance UI. In some cases Windchill UI functionality does not work so SQL scripts are the only method or the amount of effort required to use the UI is not efficient so scripts are used. In addition updating disconnected principals WTgroups only can be achieved via the maintenance UI.

When disconnected principals exist in the system two scenarios occur, 1- disconnected WTusers cause PDM to slow if users are part of a workflow and can cause PDM to stop responding or 2 - disconnected WTgroups will present users attempting to access the system with an error and PDM is not accessible. When either of these occur the systems user across the organization can not access PDM, thus an enterprise down situation occurs, not fun!

Does anyone have input this issue on how you have addressed this internal to your organization?

Does anyone have white paper type information on this issues and/or principal interface between Active Directory and WindchillDS or Aphelion?

FYI in the last 2 days I have tested or dealt with this issue on both a PDM 9.0 M060 Productin Server environment and a PDM 9.1 PDM M040 Development server and they both respond exactly the same so no changes or improvements have been made moving to WindchillDS or PDM 9.1, but I could be no informed also. Any input would be appreciated, thanks.

6 REPLIES 6

I'll try to provide you what you are looking for as an answer in my first blog post this weekend.

There are many people interested in the same thing. I'll give you a hint for now. The easiest way to maintain disconnected principals is to reconnect them in Aphelion or Windchill DS and update the correct database table entries whilst setting an increidbly hard password on the account, creating an ACL deny rule on everything for that userid.

My new blog:

http://communities.ptc.com/blogs/windchillguru

David DeMay

Looked at your blog and saw nothing, any ETA on when you will have time to comment?

It is also a issue that trouble me. Wish PTC give a enterprise directory service mantaince solution, so can easy our task and improve management.

Mark,

I have SQL scripts that will update your WTUser table to correct the accounts taht are showing up as being disconnected. Not going to share ALL of my secrests on here.

Hit me up via email or on a private thread, and I will walk you through on how to do this. It's fairly simple, but a little time consuming. I had to go through a similiar situation where a VAR we were working with imported our whole AD scheme creating dual entries for each user. It was a mess, but I was able to clean it up without having to get PTC's tech support involved. I am VERY intimate with this database.

- Patrick

This article is only for Windchill 9.1

if a user is disconnected repaineeded flag is set to 1 in the wtgroup table. Possibility of that is either the DN has changed in AD or something wrong/deleted in the DB.

How to check it

select ida2a2,repairneeded from wtgroup where name='group-name';

lets says we get ida2a2=1234 as output

select remoteid from remoteobjectinfo where ida3a3=1234;

remoteid=5678

finally

select remoteobjectid from remoteobjectid where ida2a2=5678;

This will yeild you the DN that is currently present in the DB. If its wrong you can fix the remoteobjectid value for this ida2a2 value. Then set the repairneeded flag to 0 in the wtgroup table.

Same applies for wtuser.

This is what we check when we get a disconnected principal.

dtran-4
6-Contributor
(To:PatrickLee)

Hi,

 

I really like to have SQL script to reconnect disconnected user from AD to Windchill DS. I have been doing more than one user via Windchill GUI and it is time consuming. Please provide me steps or SQL to do this

Top Tags