Hi! I have a doubt here. I have an access profile that only has the Domain Users group of some AD domain. Granting this Access Profile triggers the AD account creation? Because nothing happens when I grant this access profile to some user (via workflow).
Yes granting access to an entitlement in AD should trigger a Create account provisioning followed by adding entitlement. Is there an Approval scheme configured for the entitlement? Do you see the request under My requests (provided you are the owner of the workflow)?
Hi Nithesh, thanks for responding. There is no approval configured, but I saw that for some users there is come error, I think is not generating dn.
In that case you need to check how is Create Account profile configured to generate the DN while creating an account. Issue would not be from Request, but during provisioning
One thing to note about granting Domain Users, is that if you try to remove the entitlement later (termination process), you will see an error that it is not allowed.
When an AD account is created, the user is assigned a Primary Group. By default, the Primary Group is set to Domain Users. Unfortunately the Primary Group is not listed in the memberOf attribute on the account, there is a separate attribute for Primary Group.
Since the Primary Group is not listed in memberOf, the Primary Group will not show up in the Entitlement listing for the AD account in ISC during Account Aggregations.
We initially used Domain Users in Roles to create accounts. It created accounts without issue. But when account aggregations occurred, the group would no longer show on the account, so the Role would try to re-apply the Access Profile. This re-apply would not error out or show any errors. We only noticed the issue because certain individuals were getting multiple Identity Refreshes each day for the same AD.
Ultimately we moved to a dummy group that we only use during provisioning from ISC.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.