Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Last reviewed 2024-07-11 UTC
Neste documento, descrevemos como identificar e reconciliar contas de usuário órfãs.
Se você usa um
provedor de identidade externo (IdP),
a fonte autoritativa das identidades é externa ao
Cloud Identity
ou ao
Google Workspace.
Portanto, cada identidade no Cloud Identity ou no Google Workspace precisa
ter uma contrapartida na
fonte autoritativa externa.
É possível que algumas das identidades na sua conta do Cloud Identity ou do
Google Workspace não tenham uma contrapartida na sua fonte autoritativa
externa. Nesse caso, elas são consideradas órfãs. As contas órfãs
podem ocorrer nas seguintes circunstâncias:
Um administrador do Cloud Identity ou do Google Workspace criou
manualmente uma conta de usuário que tem uma identidade não correspondente
Você
migrou uma conta pessoal
para o Cloud Identity ou para o Google Workspace, mas ela usa
uma identidade que não corresponde a nenhuma identidade atual na fonte externa.
Antes de começar
Para reconciliar contas de usuário gerenciadas órfãs, você precisa atender aos seguintes
pré-requisitos:
Para reconciliar contas de usuário órfãs, você precisa primeiro identificar quais contas de usuário
são órfãs. Para cada conta de usuário, você precisa decidir como
reconciliar melhor essa conta.
Identificar contas de usuário órfãs
Para encontrar contas de usuário órfãs, é preciso comparar as identidades delas
no Cloud Identity ou no Google Workspace com as
identidades reconhecidas pela sua fonte autoritativa.
Para fazer uma comparação, use a funcionalidade de exportação de uma
conta do Google Workspace ou do Cloud Identity para ver uma lista das
suas contas de usuário atuais:
Selecione Todas as colunas de informações do usuário e as colunas selecionadas no momento.
Clique em Fazer download.
Após alguns minutos, dependendo do número de contas de usuário, você
verá uma notificação de que o arquivo CSV de informações do usuário está pronto para download.
Clique em Fazer o download do CSV e salve o arquivo no disco local.
Se você usa o Active Directory ou o Azure Active Directory (Azure AD) como
fonte autoritativa, siga estas etapas para comparar identidades:
Active Directory
Faça login em uma estação de trabalho que tenha acesso ao Active Directory.
Abra um console do PowerShell.
Defina uma variável para o local do arquivo que você fez download:
$GoogleUsersCsv="GOOGLE_PATH"
Substitua GOOGLE_PATH pelo caminho do
arquivo CSV que você baixou anteriormente.
Determine a lista de contas de usuário que não têm uma contrapartida no Active
Directory:
O comando compara o endereço de e-mail principal das contas de usuário
no Cloud Identity ou no Google Workspace com o
atributo userPrincipalName no Active Directory. Se você estiver
usando um mapeamento diferente entre usuários do Active Directory e
contas de usuário do Cloud Identity ou do Google Workspace, talvez
seja necessário ajustar o comando.
O comando compara o endereço de e-mail principal das contas de usuário
no Cloud Identity ou no Google Workspace com o
atributo userPrincipalName no Azure AD. Se você estiver usando um
mapeamento diferente entre os usuários do Azure AD e as contas de usuário do Cloud Identity
ou do Google Workspace, talvez seja necessário ajustar o
comando.
Cada item listado na saída representa uma conta de usuário no
Cloud Identity ou no Google Workspace que não tem
uma contrapartida no Active Directory
Um resultado vazio indica que você não tem nenhuma conta
de usuário órfã no Google Workspace ou no Cloud Identity.
Exclua os dois arquivos CSV do disco local.
Reconciliar contas de usuário órfãs
Para reconciliar contas de usuário órfãs, você precisa analisar cada conta de usuário
para determinar por que a identidade dela não tem uma contrapartida no
sistema de fonte autoritativa.
Se você achar que uma conta de usuário está obsoleta, verifique se alguma configuração
ou dados associados à conta precisam ser preservados:
Para manter os dados atuais do Google Drive,
transfira os dados
para outro usuário.
Se você não quiser manter as configurações ou os dados atuais,
exclua a conta de usuário.
Para reter a conta de usuário temporariamente, suspenda-a e
altere o endereço de e-mail principal dela para um endereço que dificilmente
causará uma colisão.
Por exemplo, renomeie olly.obsolete@example.com como
obsolete-2019-11-10-olly.obsolete@example.com.
Para cada conta de usuário que ainda seja válida, tente corrigir o endereço de e-mail principal
para que ele corresponda a uma identidade na sua fonte autoritativa. Isso pode exigir
o seguinte:
Alterar o domínio do endereço de e-mail principal.
Trocar o endereço de e-mail principal e um endereço de alias.
Corrigir letras maiúsculas e minúsculas ou a ortografia do endereço de e-mail principal (por exemplo,
adicionar ou remover pontos).
Práticas recomendadas
Indicamos as seguintes práticas recomendadas ao reconciliar contas de usuário
gerenciadas:
Se você migrar contas pessoais para o Cloud Identity ou o
Google Workspace, repita o processo de reconciliação pelo menos uma vez para
cada lote de contas de usuário que migrar.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2024-07-11 UTC."],[[["\u003cp\u003eThis document explains how to identify user accounts in Cloud Identity or Google Workspace that are "orphaned," meaning they lack a corresponding identity in the external authoritative source.\u003c/p\u003e\n"],["\u003cp\u003eOrphaned accounts can arise from manual user creation in Cloud Identity/Google Workspace or from migrating consumer accounts with non-matching identities.\u003c/p\u003e\n"],["\u003cp\u003eIdentifying orphaned accounts requires comparing user lists from Cloud Identity/Google Workspace against your external source (e.g., Active Directory, Azure AD) using a CSV export and PowerShell commands.\u003c/p\u003e\n"],["\u003cp\u003eReconciling orphaned accounts involves determining if the account is obsolete, transferring its data if needed, or fixing the primary email to match the external source.\u003c/p\u003e\n"],["\u003cp\u003eRegular reconciliation is recommended, particularly after migrating consumer accounts, to prevent the accumulation of orphaned user accounts.\u003c/p\u003e\n"]]],[],null,["# Reconcile orphaned managed user accounts\n\nThis document describes how to identify and reconcile orphaned user accounts.\n\nIf you use an\n[external identity provider (IdP)](/architecture/identity/reference-architectures#using_an_external_idp),\nthen the authoritative source for identities is external to\n[Cloud Identity](/identity)\nor\n[Google Workspace](https://gsuite.google.com/).\nEach identity in Cloud Identity or Google Workspace should\ntherefore have a counterpart in the\n[external authoritative source](/architecture/identity/overview-google-authentication#external_authoritative_source).\nIt's possible that some of the identities in your Cloud Identity or\nGoogle Workspace account lack a counterpart in your external authoritative\nsource---if so, these user accounts are considered *orphaned*. Orphaned accounts\ncan occur under the following circumstances:\n\n- A Cloud Identity or Google Workspace administrator has manually created a user account that has a non-matching identity.\n- You have [migrated a consumer account](/architecture/identity/migrating-consumer-accounts#surfacing_unmanaged_user_accounts) to Cloud Identity or Google Workspace, but the account uses an identity that does not match any existing identity in the external source.\n\nBefore you begin\n----------------\n\nTo reconcile orphaned managed user accounts, you must meet the following\nprerequisites:\n\n- You have [identified a suitable onboarding plan](/architecture/identity/assessing-onboarding-plans) and have completed all prerequisites for consolidating your existing user accounts.\n- You have created a [Cloud Identity or Google Workspace account](/architecture/identity/overview-google-authentication#cloud_identity_or_g_suite_account).\n\nProcess\n-------\n\nTo reconcile orphaned user accounts, you must first identify which user\naccounts are orphaned. For each user account, you then have to decide how to\nbest reconcile that account.\n\n### Identify orphaned user accounts\n\nTo find orphaned user accounts, you must compare the identities of user\naccounts in Cloud Identity or Google Workspace against the\nidentities that are recognized by your authoritative source.\n\nTo perform a comparison, you can use the export functionality of a\nGoogle Workspace or Cloud Identity account to obtain a list of\nyour current user accounts:\n\n1. In the Admin Console, go to the [**Users**](https://admin.google.com/ac/users) page.\n2. Select **Download users**.\n3. Select **All user info columns and currently selected columns**.\n4. Click **Download**.\n\n After a few minutes, depending on the number of user accounts you have, you\n see a notification that the user info CSV file is ready to be downloaded.\n5. Click **Download CSV** and save the file to your local disk.\n\n | **Note:** The CSV export might contain personally identifiable information (PII). Make sure that you select a storage location that is protected against unauthorized access.\n\nIf you use Active Directory or Microsoft Entra ID (formerly Azure Active\nDirectory) as your authoritative source, follow these steps to compare identities: \n\n### Active Directory\n\n1. Sign on to a workstation that has access to Active Directory.\n2. Open a PowerShell console.\n3. Set a variable to the location of your downloaded file:\n\n ```\n $GoogleUsersCsv=\"GOOGLE_PATH\"\n ```\n\n Replace \u003cvar translate=\"no\"\u003eGOOGLE_PATH\u003c/var\u003e with the path to the\n CSV file that you downloaded before.\n4. Determine the list of user accounts that lack a counterpart in Active\n Directory:\n\n $GoogleUsers = (Import-Csv -Path $GoogleUsersCsv -Header FirstName,LastName,Email | Select-Object -Skip 1)\n $LdapFilter = \"(|{0})\" -f (($GoogleUsers | Select-Object @{Name=\"Clause\";Expression={\"(userPrincipalName=$($_.Email))\"}} | Select-Object -ExpandProperty Clause) -join \"\")\n\n $GoogleUsersWithMatch = Get-ADUser -LdapFilter $LdapFilter `\n | Select-Object -ExpandProperty UserPrincipalName\n\n $GoogleUsers | Where-Object {$_.Email -NotIn $GoogleUsersWithMatch}\n\n The command compares the primary email address of user accounts\n in Cloud Identity or Google Workspace against the\n `userPrincipalName` attribute in Active Directory. If you are\n using a different mapping between Active Directory users and\n Cloud Identity or Google Workspace user accounts, you\n might need to adjust the command.\n | **Note:** If the CSV file contains a large number of users, the `Get-ADUser` command might take several minutes to execute and might cause significant load on the associated domain controller.\n\n The output is similar to this: \n\n ```\n FirstName LastName Email\n --------- -------- -----\n Alice Admin admin@example.org\n Olly Orphaned olly@example.org\n Matty Mismatch matty@wrongsubdomain.example.org\n ```\n\n Each item listed in the output represents a user account in\n Cloud Identity or Google Workspace that lacks a\n counterpart in Active Directory.\n\n An empty result indicates that you don't have any orphaned user\n accounts in Google Workspace or Cloud Identity.\n5. Delete the CSV file from your local disk.\n\n### Entra ID\n\n1. In the [Azure Portal](https://portal.azure.com), go to **Azure Active Directory Users**.\n2. Click **Download users**.\n3. Enter a filename and click **Start**.\n\n Wait until a **Click here to download** link appears.\n\n Depending on the number of user accounts you have, it might take a few\n minutes for the operation to complete.\n4. Click **Click here to download** and save the file to your local disk.\n\n | **Note:** The CSV export might contain personally identifiable information (PII). Make sure that you select a storage location that is protected against unauthorized access.\n5. On a workstation that has PowerShell installed, open a PowerShell\n console.\n\n6. Set two environment variables:\n\n ```\n $GoogleUsersCsv=\"GOOGLE_PATH\"\n $AzureUsersCsv=\"AZURE_PATH\"\n ```\n\n Replace \u003cvar translate=\"no\"\u003eGOOGLE_PATH\u003c/var\u003e and\n \u003cvar translate=\"no\"\u003eAZURE_PATH\u003c/var\u003e with the file paths to the CSV files\n that you previously downloaded.\n7. Determine the list of user accounts that lack a counterpart in Active\n Directory:\n\n $GoogleUsers = (Import-Csv -Path $GoogleUsersCsv\n -Header FirstName,LastName,Email | Select-Object -Skip 1)\n\n $AzureUsers = (Import-Csv -Path $AzureUsersCsv)\n\n $GoogleUsers | Where-Object {$_.Email -NotIn ($AzureUsers | Select-Object -ExpandProperty userPrincipalName)}\n\n The command compares the primary email address of user accounts\n in Cloud Identity or Google Workspace against the\n `userPrincipalName` attribute in Entra ID. If you are using a\n different mapping between Entra ID users and the Cloud Identity\n or Google Workspace user accounts, you might need to adjust the\n command.\n\n The output is similar to the following: \n\n ```\n FirstName LastName Email\n --------- -------- -----\n Alice Admin admin@example.org\n Olly Orphaned olly@example.org\n Matty Mismatch matty@wrongsubdomain.example.org\n ```\n\n Each item listed in the output represents a user account in\n Cloud Identity or Google Workspace that lacks a\n counterpart in Active Directory.\n\n An empty result indicates that you don't have any orphaned user\n account in Google Workspace or Cloud Identity.\n8. Delete both CSV files from your local disk.\n\n### Reconcile orphaned user accounts\n\nTo reconcile orphaned user accounts, you have to analyze each user account\nto determine why its identity lacks a counterpart in your\nauthoritative source system.\n\nIf you think a user account is obsolete, check whether any configuration\nsettings or data associated with the account are worth preserving:\n\n- To keep existing Google Drive data, [transfer the data](https://support.google.com/a/answer/1247799?hl=en) to a different user.\n- If you don't want to keep any existing configuration settings or data, delete the user account.\n- To temporarily retain the user account, suspend the user account and change its primary email address to an address that is unlikely to ever [cause a collision](/architecture/identity/best-practices-for-federating#make_cloud_identity_or_g_suite_identities_a_subset_of_the_identities_in_your_external_idp). For example, rename `olly.obsolete@example.com` to `obsolete-2019-11-10-olly.obsolete@example.com`.\n\nFor each user account that is still valid, try to fix the primary email address\nso that it matches an identity in your authoritative source. This might require\nthe following:\n\n- Changing the domain of the primary email address.\n- Swapping the primary email address and an alias address.\n- Fixing casing or spelling of the primary email address (for example, adding or removing dots).\n\n| **Note:** Changing the primary email address impacts the owner of the associated user account. Make sure that you notify the owner of the change so that they know which email address to use for subsequent sign-ins.\n\nBest practices\n--------------\n\nWe recommend the following best practices when you are reconciling managed user\naccounts:\n\n- If you migrate consumer accounts to Cloud Identity or Google Workspace, repeat the reconciliation process at least once for every batch of user accounts that you migrate."]]
