Description
Running the remote user sync rule does not remove users (deleted remote LDAP users, or which are not anymore members of the group configured in the sync rule), but only adds new ones.
Solution
There are two possible solutions:
- The maximum number of the licensed users has been reached. The following warning message will appear: 'Cannot add user from LDAP server ... because the maximum user limit has been reached..'
The sync rule runs in 2 stages: it first adds users and it then removes users.
Since the rule cannot get past the first stage, user deletion will not occur.
Manual deletion or license upgrade is needed if the total number of users is greater than the current license.
- If the warning from point 1 is not seen, and the remote user sync rule option 'Do not delete synced users when they are no longer found on the remote server' is not enabled, the rule group filter is matching the users group, and the users are still not removed, then it is highly likely that the users which should be removed were initially imported manually, not through a sync rule.
This is by design: manually imported users will not be updated by a sync rule.
Manual deletion of those users is necessary.
Deleting all the users and then importing them only through the sync rule is also an option if no 2FA is configured on the active users.
Related documents:
