Skip to main content
W
WFD8-Gravel
8-Gravel
September 23, 2024
Question

Windchill AD sync causes profile corruption when switching licenses

  • September 23, 2024
  • 1 reply
  • 2274 views

Version: Windchill 13.0

 

Use Case: - User is in AD license group X1234 which is part of the Advance license in Windchill. User has advanced license profile in participant administration. - User is removed from group X1234 and put in group X4321 which is part of the Base license in Windchill. - After 5-20 minutes user is part of the new license group in Windchill but his user profile remains Advanced - Clearing the user from the partipant cache (or restarting Windchill) changes the profile to the expected Base profile.


Description:

We have Active Directory synchronization and the license groups in AD are linked to the license groups in Windchill. Now when I move a user from one AD license group (e.g. Advanced) to another (e.g. Base) the license group gets reflected after a while in the participant administration (when user connects again) BUT the license profile of the user does not update, hence causing very strange UI behavior (e.g. search tab disappearing, menu items disappearing). It can be easily fixed by clearing the participant cache for that specific user or restarting Windchill, but both are not automated nor desired because we have to wait till an incident is reported before we can fix it. 

 

This is happening in Windchill 13 but also in Windchill 12 BTW.

 

We have the wt.org.userSyncTime updated to 12 hours instead of default 7 days and we have the wt.inf.team.userScheduledRefreshGroups and wt.inf.team.refreshGroupsDailyQueueTime set but also when we disable this it makes no difference. And it happens within 30 minutes the AD value is changed anyway. 

Waiting a day doesn't fix the user either.

 

Any idea's why this is happening and what we could do about this? Anybody else having this issue?

1 reply

avillanueva
23-Emerald I
avillanueva23-Emerald I
23-Emerald I
September 23, 2024

This article echoes what you are seeing: https://www.ptc.com/en/support/article/CS394014?source=search

Not much here other what you already know. The only thing it says is best practices it to only manage users on the AD side and to leave the group relationships on the Windchill side. I would think this is for the reason you are saying. I am sure that others who manage groups in AD will chime in with their experiences. Seems like the only way to do this is to increase the sync time to a very short time or handle it manually. Depends on how often this data is changing. If infrequent, add it to the task list when making these group changes.

W
WFD8-GravelAuthor
8-Gravel
September 23, 2024

Hmm, well, the problem is not actually that the groups are not synching, that works fine (unlike what the article says, so I guess we are lucky there), but what does not work is that the associated license profiles are not updated according to the new license group... 

 

but if PTC recommends only to synchronize users and not groups from AD why do they offer the option of synchronizing groups? We have automation for all our AD groups... having to revert back to manually maintaining users in Windchill group would be a real pain... no way to automate this right?

HelesicPetr
22-Sapphire II
HelesicPetr22-Sapphire II
22-Sapphire II
September 24, 2024

Hi @WFD 

You can just write own custom function that could do what you do manually to repair the profile synch.. 

PetrH

Terms & ConditionsAccessibility statement