I have always faced this problem.
We have this STANDARD SAP LDAP Sychn up background job being run periodically.
This job checks for the NEW users created in Windows AD - and assigns normal general roles which are applicable for all employees.
We have the policy to assign roles based on position - which is indirect role assignment.
So every employee has a unique position created - hire to retire.
However there is a confusion on the user IDs which come from Windows AD.
E.g. : Harry Potter HARRYP - user id on windows AD / and in SAP R/3 user id.
User HarryP - leaves the co. Say had left the co in Jan 31 2012.
As per LDAP Synch up the user id is gone from Windows AD - and in SAP R/3 - for the user in SU01, shows the proper valid thro date as 31/1/2012.
Today 16th april 2012 - another employee HARRY PETER - USER ID HARRYP (is available on Windows AD) so is given to this employee.
New position generated for this employee - but same id HARRYP is being assigned as per the LDAP Sychn up job.
So when you check SU01 for this new user HARRY PETER - HARRYP - it picks up the old id, with valid thro date - and shows 31/1/2012.
But all other details are reflected as per new employee details HARRY PETER.
Under these circumstances, i have to manually edit - and remove the valid thro date.
So that the NEW user can login to the internal company portal etc.
I would like to know as to whether we could avoid this scenario.
It looks like SU01 and PA20 are looking at different things in the background in SAP.
I checked whether any possiblity to avoid this on AD level itself, i was not finding anything.
Or whether anything could be there - as a logic written, so that the system does not assign the windows AD blindly to any NEW USER being created in SAP.
Can anyone advise on this.
Looks like you are maintaining the User End date or Valid to date in LDAP. See if you can map this (LDAPMAP) LDAP field to the SU01 Valid To Field and sync.
Also you can look at changing this process of re-using the User ID in the future, which is not a good practice.
Hi Sandipan /Ajesh.
Thanks. I will check this logic of the SAP standard program and try and understand what it is doing. And then speak with the Developers on this to create a Z program. As regards not to recycle the IDs on Windows AD - may be I will have to check with server team which controls the domain.