Inconsistent Group Membership Result Affected User Entitlements

  • Published on Apr 4, 2025
  • 1 minute(s) read
  • Jesse Wilson

Inconsistent Group Membership result affected user entitlements 

 

Issue Description:  

Frequent group membership updates were causing entitlements to be removed, resulting in all resources assigned to the user being moved to a suspended state. 

As a temporary workaround, the customer's Workspot admin had to delete the user account from Workspot Control and re-register it as a first-time user via the Workspot client. This process restored group memberships, requiring manual reassignment to assign to the suspended VM. 

 

Root Cause 

Investigation revealed the following key points: 

  1. The affected user account was associated with two GUIDs in the Enterprise Connector logs. 

  3. Picture 1, Picture 

  Picture 2, Picture 

  1. One GUID returned correct group membership checks, while the other returned false results. 

  1. The user's email attribute was incorrectly associated with both their regular and administrative accounts, leading to inconsistencies. 

Resolution Steps 

  1. Log Analysis: 

  • Enterprise Connector logs were reviewed to identify discrepancies in group membership checks. 

  1. User Account Investigation: 

  • The AD team were consulted to verify potential changes or duplications in user accounts. It was discovered that the administrative account shared the same email attribute as the regular account. 

  1. Corrective Action: 

  • The email attribute was removed from the administrative account to avoid conflicts. This adjustment ensured consistent and accurate group membership validation.