Workspot Control checks the status of users' AD (Active Directory) account status and AD group membership occasionally. This document describes when this happens, and what actions are taken when the status changes.
Account Status
Account status is pulled according to the Sync Interval. This is a per-datacenter parameter in Workspot Control. It defaults to six hours but can be set in the range of 1-24 hours. You can view and edit the Sync Interval in "Setup > Datacenter > Datacenter Name > Configs," as shown below:
Forcing an Immediate Sync
In Workspot Control, clicking on ‘Sync Now’ button can force Sync for deleted or disabled accounts immediately, without waiting for the sync interval to expire.
Deleted or Disabled AD Accounts
When a Workspot user's AD account goes from the "active" state to the "deleted" or "disabled" state:
The user's Workspot account is deleted from Workspot Control.
The user's Workspot Client data is erased from their devices if connected to Workspot Control.
• The user's Persistent Workspot desktops will go to either a suspended state or returned to the pool.
Non-persistent resources (non-persistent desktops and applications) behave as if the user had signed off.
New or Re-Enabled AD Accounts
A new user account and a re-enabled account are identical as far as Workspot is concerned. That is, when a user account is disabled or deleted in AD, Workspot Control deletes the working record of the account. Therefore, it cannot tell the difference between a brand-new account and a reenabled or recreated account.
Such users follow the new-user registration process.
Group Membership
Workspot users can be assigned Workspot desktops and other resources ("entitlements") based on their Active Directory (AD) group membership. Unlike AD account status, Workspot Control does not check every user's AD group membership on a regular schedule, and delays between the change in AD and its effect on Workspot Control are more variable, as described below.
Group Membership Polling
When an end-user signs in from a Workspot Client, AD group membership is checked:
If it has been at least 24 hours since Workspot Control last checked this user's group membership, OR
An administrator pressed the "Users > Groups > Refresh Entitlements" button in Workspot Control.
In addition, as long as the user is signed into the Workspot Client, then the two conditions above are tested once every five minutes.
Until these conditions are met, Workspot Control and the Workspot Client will show the user's previous group membership.
For more information on how AD group membership is mapped to Workspot groups, see the "Self-Registration" section in Workspot Enterprise Connector.
How AD Group Membership is Mapped to Workspot Entitlements
To map an AD group to a Workspot group, create a new Workspot group, as shown in the screen capture below:
When you select Directory as ‘Active Directory’, the new Workspot group will have the same name as the AD group you select. Workspot users who are members of the AD group will be members of the Workspot group of the same name.
Group members will receive the desktop entitlements of this group, plus those of any other groups they belong to. They will receive the app bundle and security policy of only a single group, determined by the precedence order given to the groups on the "Users > Groups > Precedence Order" page.
Users who are not members of any AD group known to Workspot Control will be placed in Control's Default group. Users who are moved from a known to an unknown AD group will be moved to the Default group.
Troubleshooting
Group membership changes are not reflected in Workspot Control
Press the "Refresh Entitlements" button in Workspot Control.
Then ask the user to sign in (or remain signed in) on a Workspot Client.
Within five minutes, or five minutes of signing in, respectively, Workspot Control should report the group membership change on the Events page.
Accounts of users who have been disabled or deleted in AD will be removed from Workspot Control.
This is by design.
Users are not getting the expected app bundles or security policies.
The precedence order of the Workspot groups is set incorrectly. Go to "Users > Groups > Precedence Order" and reorder the groups appropriately.