Active Directory Create Account failing because of undefined required string attribute 'User'

I am currently working on a project in IdentityNow in which I have to configure the provisioning of Active Directory accounts based on the Lifecycle State of an identity. I have set up the configuration in the Identity Profile ‘Provisioning’ tab. However, I am running into the following issue during account creation:

“Exception: sailpoint.connector.ConnectorException: [ InvalidConfigurationException ] [ Error details ] Required string attribute ‘User’ is not defined.It must have a valid value.”

I am unsure where this is even coming from, as in my ‘Account’ file there is no such attribute called ‘User’. It does not exist anywhere in my files, however it is causing an error when creating AD accounts. I also find it odd that an attribute could be both required and not defined at the same time.

Has anyone else run into this issue before? What could be prompting this?

Hi @rpalivela

Welcome to SailPoint developer community.

In your provisioning policy, there will be Object Type attribute by default, configure the same as below.


Is ootb connector or have you customized something? Can you share the create provisioning policy?

Hi Krish,

Thank you for your response. It is already configured like that when the issue is happening.

Hi Julian,

Some things have been customized, namely custom transforms for the distinguishedName, sAMAccountName, and initial AD password, as well as some extra attributes that are copied directly from the identity profile mappings.

My configuration for the ObjectType is exactly what Krish posted in another reply. Here is what I have for the sAMAccountName (very similar for distinguishedName and password):

No need of JSON, just get us the screenshots of create account provisioning policy from UI.

I guess you copied some attributes definition and pasted in create account policy.

As per the error, there is an attribute User in your create account provisioning policy form, it configured as required in the backend. But no value, so the exception.


My confusion is that there is no attribute ‘User’ as such except for the following:

OK, can you get us the account request by masking sensitive data. You can find that in search. Just search with user account id, you can find under Account Activity.

We can see what are values are passing.

Here is what it is showing under Events (Account Activity is just showing that the identity was successfully created):

The problem is with the format you used to generate DN.

You are using firstName, middleInitial, Lastname and dnOU identity attributes. Check if user doesn’t has value for any attribute. That might help you to understand the issue.


I have checked and the user is correctly receiving a first name, middle initial, last name, and OU in the identity profile. Is there anything else that could be the issue? I have a list of 4 patterns and it is failing at the last pattern, meaning the previous patterns are failing due to non-uniqueness (is this correct?). So, for some reason it is seeing certain CNs as already existing despite the fact that this user has never been created in AD before.

Do you have any other idea of what may be causing the issue?

Hello Rithwik, did you find out what the issue was?
I’m facing the same issue and not a lot of helpful info out there :frowning:

Hi Aishwarya, I was not able to, unfortunately. I will be trying to use a new AD connector soon but for now I haven’t been able to find any fix.

Hi Aishwarya,

I ended up being able to resolve the issue by creating a new AD connector with the same configuration as the old one. Not entirely sure why that solved it, but give it a try.