@Steven Matison With the above configuration (after "Enable User Search" is turned on), you should now be able to see the user (smatison) with samaccountname. Do you see that user in ranger admin? Few points to consider: 1. When "Enable Group Search First" is "ON" and "Enable User Search" is "OFF", Ranger syncs users using the "Group Member Attribute" which is in general configured with "CN" of the user. 2. When "Enable Group Search First" is "ON" and "Enable User Search" is "ON", Ranger syncs users using the value configured for "Username Attribute" (which is samaccountname in your case). 3. Once the users or groups are sync'd to Ranger, they are not deleted by Ranger automatically. It is a manual operation by ranger admin to go and delete the unused users/groups from UI. 4. For more details on how ranger syncs users and groups with different configuration options, you can refer to these articles: - https://community.hortonworks.com/articles/105620/configuring-ranger-usersync-with-adldap-for-a-comm.html - https://community.hortonworks.com/articles/105623/various-options-supported-in-ranger-usersync-with.html Thanks, Sailaja. ... View more

@Pit Err, You are in right direction with option #3 above. One minor change is that, you can use "cn=*" in the user search filter instead. When group search first is enabled and user search is enabled, then the logic is - 1. First sync all the groups based on the group configuration (including group search base and group search filter). 2. Cache all the members for each group using the member attribute. 3. For syncing the users - a. If user search is not enabled, then just use the short name for the user names (from member attribute of the user) b. If user search is enabled, then sync the users based on the user configuration (including user search base and user search filter) and the cached users from step2. For the users that are in the cache, update the username with samaccountname retrieved from the user search. Discard all the other users from the user search base and user search filter that doesn't match the cached users from step2. Effectively, you are just getting all the users from the groups that are sync'd from step1. Hope this helps, Thanks, Sailaja. ... View more

@GN_Exp, In order to disable incremental sync following properties are to be set in ranger-ugsync-site.xml: <property> <name>ranger.usersync.ldap.deltasync</name> <value>false</value> </property> <property> <name>ranger.usersync.sink.impl.class</name> <value>org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder</value> </property> ... View more