Skip to main content


 

Symptoms

 


When a User has had a name change in Active Directory (AD) yet when they are using K2 it still shows the old name (The SID of the account has not changed).
Upon checking the Identity.Identity table you can see the correct FQN and that the account is 'Enabled' with a value of '1', When searching the Identity.Identity table for the old name you can see that the accounts is 'Disabled' with a value of '0' yet it still shows the old name.
 

 

Diagnoses

 


Upon checking the Identity.Identity table you can see the correct FQN and that the account is 'Enabled' with a value of '1', When searching the Identity.Identity table for the old name you can see that the accounts is 'Disabled' with a value of '0' yet it still shows the old name.

The reason why the old Username is still displayed is because the local security authority (LSA) caches the mapping between the SID and the user name in a local cache and returns the old user name (after a name change) instead of the new one.

"The cache entries do time out, however chances are that recurring queries by applications keep the existing cache entry alive for the maximum lifetime of the cache entry."
 

 

Resolution

To resolve the problem so that the new name is returned you will need to run the below PowerShell command on the K2 Server:

$objUser = New-Object System.Security.Principal.NTAccount "mydomain"
$objUser.Translate(nSystem.Security.Principal.Secu​rityIdentifier])

(replace 'mydomain' with the Domain name and Username of the affected User.
 

 

 



 
Be the first to reply!

Reply