Hi @thesasuser,

If you are looking for a simpler way to sync SAS identities with AD, Metacoda has a third party commercial plug-in to the SAS Management Console, named the Metacoda Identity Sync Plug-in that you may want to consider. This tool uses the SAS macros underneath. Have a look at the third link below to see architecture diagrams of how it works.

Some information can be found at:

• https://www.metacoda.com/en/2015/05/metacoda-identity-synchronization/
• https://platformadmin.com/blogs/paul/2015/07/synchronizing-sas-platform-identities/
• https://metacoda.github.io/idsync-utils/

Kind Regards,

Michelle

There are a couple of strategies that people use when they encounter identity sync errors relating to trying to add AD users/groups to SAS when they already exist (often manually added ones). The first is to delete the users/groups in SAS to make way for the identity sync process to recreate them. This is easy but is quite brutal and will destroy any metadata relationships those users/groups already have, including any access control that directly reference them. A better way is to link up the SAS user/group with the AD user/group by editing the external identity metadata for the user/group and adding in the id you have chosen for the sync process (i.e. distinguishedName, sAMAccountName, objectGUID etc). You can see an example screenshot of the SAS Management Console User Manager Edit External Identity Properties dialog in this blog post: https://platformadmin.com/blogs/paul/2016/03/identity-sync-finding-your-keys/

If you have only a handful of these to add then the User Manager plug-in is the way to go. If you have lots then Metacoda also has a (commercial) External Identity Manager plug-in that can streamline this, including import/export from CSV files. We have helped some SAS customers automate this process for hundreds of users when setting up identity sync for the first time.