Rob Brown via FreeIPA-users wrote:
Our company recently implemented freeipa to replace a cent5 kerberos
infrastructure. We set it up with a Winsync agreement with an AD domain,
and is working pretty well.
Our user disposition workflow in AD is this: user account is disabled,
and moved to a "terminated users" OU in AD. The account disable sync was
working fine to IPA, but yesterday I decided to "clean up" the Active
Users list in IPA, by deleting (with --preserve) all the disabled
accounts (there were many). This looked fine from the IPA side: the
accounts got moved into the Preserved users area (in the gui).
However, much to my dismay I later discovered that all of the termed
accounts in AD are gone. WHAT!!!???
This is bad (for historical/compliance), and came as a shock to me,
because the docs say: "While modifications are bi-directional (going
both from Active Directory to IdM and from IdM to Active Directory),
creating or adding accounts are only uni-directional, from Active
Directory to Identity Management". So WHY ON EARTH would a delete be
bi-directional? I'm suspecting (hoping) that the accounts weren't
actually deleted, that they are just hidden somewhere in AD that I can't
see. PLEASE, if anyone can point me in the right direction here as to
what happened I would appreciate it.
As someone mentioned in IRC marking a user as preserved moves them from
the user container to cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX.
So perhaps AD honored the rename.