Active Directory - New Account Creation Error : The object already exists

Augjm · March 18, 2025, 5:22pm

Hi,

We’re encountering the following error when creating new AD accounts:

Exception occurred while executing the RPCRequest: Errors returned from IQService. “The object already exists. 00002071: UpdErr: DSID-030503D3, problem 6005 (ENTRY_EXISTS), data 0 . HRESULT:[0x80071392] For identity: CN=xyz,ou=xyz,ou=xyz,ou=xyz,ou=xyz,dc=xyz,dc=xyz,dc=com”

We initially suspected the configured BPR, but the error persists even without the BPR, and when using static values for sAMAccountName, UPN, and DN in the provisioning transform for brand new users with no AD account.

Any insights you can provide would be appreciated.

Thanks.

officialamitguptaa · March 18, 2025, 5:34pm

@Augjm -

Most of the time, this error boils down to a uniqueness conflict in Active Directory. Make sure:

The sAMAccountName is truly unique.
The UPN is truly unique.
The DN path doesn’t collide with any existing object.

Once you rule out all those collisions, you should be able to provision new AD accounts without that “object already exists” error.

To get some more insight kindly share the transform details related to the above attributes.

KRM7 · March 18, 2025, 9:45pm

How is the AD account created, Request Access or Automated using some Role ?

Are you seeing this error when AD account attempted to create or a subsequent refresh ?

Augjm · March 19, 2025, 6:26am

It’s through entitlement request.
This error occurs during the initial creation account, then all subsequent refreshes.

I know for a fact that there’s no collision on any of the attribute, as I tested by setting static values in the create account schema

hkhandale · March 19, 2025, 8:00am

This error typically occurs during data aggregation when a user matches a Role assignment, and the duplicate user first and last name present in identities. However, if you provision users individually through Role-based assignment, IdentityNow should generate a unique value for them.

To resolve this, you can try using an After Provisioning Rule to generate a unique UPN if your Account ID and Account Name are set as DN and sAMAccountName. Additionally, set UPN as “Disable” in the provisioning plan to let the rule handle uniqueness.

This should work for your use case. If you still face issues, please provide more details, and we’d be happy to assist further!

Thanks!

j_place · March 19, 2025, 1:19pm

Hi @Augjm Just something to check - I note your DN has CN= in capitals but ou= in lower case. I appreciate this may have just been a typo, but maybe check your case sensitivity?

TheOneAMSheriff · March 19, 2025, 5:08pm

Hi @Augjm,

See in target application/Active Directory if the account you wanted ISC/IQService to create existing/existing partially. If yes, its possible ISC/IQService tried to create the account twice.

First attempt the account was created but the provisioningResult was not received in time - increase “provisioningTimeout” in source to resolve this: -

{
        "op": "replace",
        "path": "/connectorAttributes/provisioningTimeout",
        "value": 300
    }

Second attempt you got the reported error: Exception occurred while executing the RPCRequest: Errors returned from IQService. “The object already exists