Active Directory Provisioning DN

torry_salamat · December 31, 2025, 11:43am

Which IIQ version are you inquiring about?

8.3

Hello Community,

I calculate the distinguishedName (nativeIdentity) for AD via a Provisioning Policy (Create) using a rule.

The rule does execute on the first create attempt and correctly sets nativeIdentity.

However:

If the Create operation fails (e.g. due to a homonym / “object already exists” error),

IdentityIQ continues to reuse the old nativeIdentity value in subsequent create attempts…

I don’t understand where this old value is coming from or why it takes precedence over the current rule logic in the provisioning policy create..

I tried to clean cache and restart server but nothing works

the nativeIdentity is well recalculated only if i remove the business role that is used for provisioning the AD account and reassign it to user ( the business role has an assignment rule )

I also have this warning on the logs : WARN QuartzScheduler_Worker-2 sailpoint.provisioning.AssignmentExpander:xyz - Stale account target memory: Role MyBusinessRole1, Application ActiveDirectory, Identity CN=XX,OU=XX,DC=XX,DC=XX

Did anyone face the same problem please and how to correct it?

amrdodani · December 31, 2025, 4:38pm

This behavior is expected with IIQ roles. The DN (nativeIdentity) is coming from the role assignment’s target account memory, so after the first expansion it keeps reusing the same DN even if your Provisioning Policy computes a new one.

SailPoint documents that role assignments persist the target accounts (“target account memory”).

Fix: reset/recreate the role assignment target (remove + re-add role / new assignment) so IIQ reselects the account target DN. Long-term: move DN decisioning into the account selection rule / target selection and generate a DN that is unique on the first attempt (avoid “object already exists” collisions).

torry_salamat · January 2, 2026, 7:44am

Hello @amrdodani thank you for your answer,

Do you please have the documentation that says that the role assignments persist the target accounts?

Many thanks,

amrdodani · January 2, 2026, 5:09pm

Kindly check this

And also this one

system · March 3, 2026, 5:10pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Active Directory Account SearchDN resetting IIQ Discussion and Questions identityiq , provisioning	5	289	February 19, 2024
Active Directory account already exists // IIQ IIQ Discussion and Questions rules , identityiq , provisioning	3	607	February 19, 2024
Refresh Task is trying to create AD Account with incorrect DN IIQ Discussion and Questions identityiq , provisioning	6	73	September 28, 2025
Active Directory BeforeProvisioing Rule - Create Operation ISC Discussion and Questions rules , identity-security-cloud , provisioning	2	456	April 26, 2024
AD Provisioning Error - Incorrect DN referenced IIQ Discussion and Questions identityiq , provisioning	4	71	March 31, 2025

Active Directory Provisioning DN

Which IIQ version are you inquiring about?

Related topics