DirSync – Identify deleted users

During my DNUG47 Online session on “Active Directory Synchronisation with HCL Domino v11 DirSync” I was asked if it is possible to identify users that have been synced to the Domino Directory and later on deleted in Active Directory.

Two scenarios must be distinguished here.

  • User has been synced from AD but not registered in Domino Directory
  • User has been synced and registered in Domino Directory using the “Register selected user” functionality.

In the first case, users that have been deleted from the AD are also deleted from the Domino Directory.

In the latter case, users are NOT deleted from the Domino Directory.

But how can we tell, if a user in Domino Directory has been added to the Domino Directory from the Active Directory.

Let us take a closer look into the document properties of such a user.

When a user has been synced by DirSync, you will see the “briefcase” icon left to the user name.

In addition, several items are added to the Domino document, i.e. ‘objectGUID’, ‘$$DirsyncDigest’, ‘$$DirsyncDomain’ and ‘$$LdapDN’.

When the user has been registered, also the “AvailableForDirSync” item is added to the document.

When you remove the user from the Active Directory, you will see the following output on the Domino Console.

[0868:0005-2A30] DirSync
DirSync Removed 'objectGUID', '$$DirsyncDigest', '$$DirsyncDomain' and '$$LdapDN' for registered user 'CN=James Kirk/O=singultus' with Note ID '33810'.
[0868:0005-2A30] DirSync NOTE: This registered user is now DISCONNECTED from its AD counterpart and can be reconnected later by matching the e-mail address.
[0868:0005-2A30] DirSync resyncall - SyncFromLDAPToNAB completed in: 0.71 seconds

Keep in mind, that you need to perform a full “Resync” to change the user state in Domino Directory.

When we now look into the document properties, we will see the following.

First of all, you see that the “briefcase” icon is no longer available.

As stated in the console output, ‘objectGUID’, ‘$$DirsyncDigest’, ‘$$DirsyncDomain’ and ‘$$LdapDN’ have been removed from the document, but the “AvailableForDirSync” item is still there.

So this can be used as an indicator to identify user records that have been synced from the Active Directory, registered as Notes user, and removed at some point from the Active Directory.