No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Illegal organization structure cause that users accounts were imported to firewall fail from AD

Publication Date:  2014-11-01 Views:  194 Downloads:  0
Issue Description
When import the users account from AD server to firewall ,the OU can be imported to Firewall successfully ,but the user account imported fail
Alarm Information
When  import the users , the firewall said “import fail”.

Handling Process
Here is the probable cause :

1. The parameter for  “server import” is not correct ,such as “import location ”and “server name”.
2. There exist some illegal characters : '/' ,'\' ,'[' ,']' ,':',';','|','=',',' ,'+' ,'*' ,'?' ,'<','>' ,'@' ,'"' ,'#' ,'(' ,')' 
      inside the user account ,Because firewall don't support these symbol.
3. Some users contains  illegal OU.

a. By  checking the  parameter for all of the  “server import” and it is correct ,because OU can be imported correctly .
b.  Login the AD server ,and there is no any illegal symbol inside the users account .
Root Cause
By catching packets ,we can see the AD server also works as a  mail server ,and some user  accounts’ OU  specially for
Mail server  cannot be supported by Firewall ,causing the user import fail.

We can see the user account is :CN=HealthMailboxc33a3a44d8d28d419c82b82799ca7250bc,CN=Moniotoring Mailboxes,
CN=Microsoft Exchange System Objects, DC=CLIF,DC=CORP, It belongs to mail server  account  on AD and USG don't support it.

Because the OU can be imported successfully ,on the firewall there are two OU already imported “Microsoft exchange security group “and “clif-itapoa”

The target users accounts are in  clif-itapoa OU,and the users in  Microsoft exchange security group OU are  not we need ,because the base OU “DC=clif, DC=corp”contains  both of the OUs, according to the analysis and the configuration in AD, we can  change the configuration to allow only Users in  DC=clif, DC=corp  like this : ou=clif-itapoa,  dc=clif, dc=corp.
When import the users from AD ,the location for the target users must be specific ,in case of other users are also imported ,
Meanwhile ,please make sure that illegal symbol for user account and OU cannot be contained  in  AD server.