Duplicate users cause user-targeted mandatory deployment issues

Device management

Last friday one customer said their users didn’t get any applications from Software Center. So I started to check what is the issue, or if there is any issue.

Applications are deployed to user collections as mandatory. Based on reports, applications are installed to some users successfully, there is no errors in the reports, but mostly shows just unknown. So I think, well “maybe people are in holidays, maybe machines are just not online, user didn’t log on…”. But I decided do a double check, those machines are online, and users are logged on to their workstations, so why applications are not installing?

I deployed one of the application to myself as mandatory deployment, it installed nicely. So I started to check PolicyAgent.log, seems it is not getting user assignments at all. So check client settings, MP, boundaries, boundary groups, network, IPsec, GPO….everything what came to my mind. Still not luck.

So today I took contact to my colleague Haarala Tommi. I told him what issues we have, and what kinds of stuffs I have checked already, and ask him if he has other ideas about it.
Very soon, Tommi sent me an email..he found what is the problem…

Duplicate Users!!!

Honestly, I won’t be able to figure this out by myself, because I assumed this should never happen!

So we tested removed few duplicated users, after that application deployed successfully.

Why we have duplicate users? Well, seems for some reasons, those users accounts were created, deleted, then recreated again,  and with exactly same attributes SamAccountName and Name.

So this is how it went wrong:
1. Create a new user John Doe. Use AD attribute Name John Doe T, SamAccountName john.doe, User PrincipalName: [email protected]
2. SCCM user discovery puts ZIT\john.doe (John Doe T) in database.
3. Delete user John Doe.
4. Create a new user John Doe again. Use AD attribute Name John Doe T, SamAccountName john.doe, User PrincipalName: [email protected]
5. SCCM user discvoery puts another ZIT\john.doe (John Doe T) in database, and use a new Resource ID.
6. Now you have two “ZIT\john.doe (John Doe T)” in your SCCM, in this case, user-targeted mandatory deployment will not work!

Here is a query to get all the duplicate users, you can modified it as you wish:

select distinct R.ResourceId, R.Name, R.UserName, R.UserOUName from  SMS_R_User as R full join SMS_R_User as s1 on s1.ResourceId = R.ResourceId full join SMS_R_User as s2 on s2.Name = s1.Name where s1.Name = s2.Name and s1.ResourceId != s2.ResourceId

Really need to think about how to prevent this happen again. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.