Troubleshooting Tip: Remote user sync rule is not removing or updating users
Description
This article describes that running the remote user sync rule does not remove users (deleted remote LDAP users, or those who are no longer members of the group configured in the sync rule), but only adds new ones.
Scope
FortiAuthenticator.
Solution
There are two possible solutions:
- The maximum number of licensed users has been reached. The following warning message will appear: 'Cannot add user from LDAP server ... because the maximum user limit has been reached..'.
The sync rule runs in 2 stages: it first adds users, and then removes users.
Since the rule cannot get past the first stage, user deletion will not occur.
Manual deletion or a license upgrade is needed if the total number of users is greater than the current license.
- If the warning from point 1 is not seen, and the remote user sync rule option 'Do not delete synced users when they are no longer found on the remote server' is not enabled, the rule group filter is matching the users group, and the users are still not removed, then it is highly likely that the users which should be removed were initially imported manually, not through a sync rule.
This is by design: manually imported users, or imported through an existing rule, will not be updated/managed by a new sync rule.
Manual deletion of those users is necessary.
Manual deletion of those users is necessary.
Deleting all the users and then importing them only through the sync rule is also an option if no 2FA is configured on the active users.
Related documents: