CIE - user/group deletion on AD server not reflected in CIE

CIE - user/group deletion on AD server not reflected in CIE

618
Created On 01/19/23 02:52 AM - Last Modified 11/11/25 19:58 PM


Symptom


object updates and additions are reflected in CIE timely without any issue, but object deletion is not reflected.

Environment


Prisma Access
CIE
Directory sync

Resolution


Currently, CIE has to compare all objects (via objectGUID) inside its DB with all AD objects retrieved from AD to figure out which object was deleted from AD. This is a quite expensive operation (retrieving DN & objectGUID for all AD objects and compare), to reduce the unnecessary load on both customer's AD and CIE, CIE will only check object deletion every 12 hours. "Sync Change" will only retrieve object updates and additions, it will not go through the lengthy deletion detection logic. "Full sync" will retrieve all AD objects.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGMkCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail