KNOWLEDGE BASE

Manually Added Ad User Are Removed From Synchronized Groups


Published: 23 Apr 2021
Last Modified Date: 30 Apr 2021

Issue

Manually added AD users were removed from AD groups after Tableau Server synchronized with AD.

Following error messages can be found ​​​​​in backgrounder logs :

2021-03-25 14:02:46.390 -0500 (SiteName,,,,7578153,:sync_ad_group,4de87d2a-8d4d-455d-bad3-f2c9d1753b73) pool-31-thread-1 backgrounder: INFO com.tableausoftware.domain.user.service.SyncWithActiveDirectoryLogic - Syncing 541 users for active directory group Domain\ADGroupName 2021-03-25 14:02:48.257 -0500 (Origination Analytics,,,,7578153,:sync_ad_group,4de87d2a-8d4d-455d-bad3-f2c9d1753b73) pool-31-thread-1 backgrounder: INFO com.tableausoftware.domain.user.service.SyncWithActiveDirectoryLogic - User username@Domain was removed from the group but is still active in AD.
2021-03-25 14:02:48.258 -0500 (SiteName,,,,7578153,:sync_ad_group,4de87d2a-8d4d-455d-bad3-f2c9d1753b73) pool-31-thread-1 backgrounder: INFO com.tableausoftware.domain.user.service.SyncWithActiveDirectoryLogic - SyncComplete: Added 0 users to the active directory group Domain\ADGroupName with 0 users not getting upgraded siteRole due to shortage of licenses. 0 had their data updated and 0 had their siterole updated and 1 were removed from group.

Environment

  • Tableau Server
  • Windows Server 2019
  • Active Directory

Resolution

Update/add the users to group in Active Directory and sync with Tableau Server.
Once users are added to the group in AD, Tableau Server will be able to update those users by synchronizing the list of AD group users in Tableau Server with the AD group in AD.

Cause

This is by design. AD group/users are synchronized from AD to Tableau Server. You cannot add a user to a group on Tableau Server and then sync back to AD. 
Adding users to groups is only available when the identity store is Local. For external identity story(LDAP/AD), manually added users will still be active in AD but will be removed from sync'd groups in Tableau Server.
Did this article resolve the issue?