Active Directory Provisioning Error while creating a new account

Hi All,

Our team recently set up an Active Directory source and set up roles with membership criteria - granting AD groups through account creation on the source.

However, we ran into the following error for all identities granted the role:

image752×546 35.4 KB

Exception occurred while executing the RPCRequest: Errors returned from IQService. Error occurred while setting password for the account. Exception has been thrown by the target of an invocation.One or more input parameters are invalid . HRESULT:[0x80070005], Error occurred while setting password for the account. Exception has been thrown by the target of an invocation.One or more input parameters are invalid . HRESULT:[0x80070005]

Logs from IQService on the Active Directory server:

image1915×97 6.8 KB

We have checked the Active Directory local password policy with the set password and it is meeting the requirements.

This is a recurring issue that we have come across on different tenants with different Active Directory servers.

Any help would be appreciated. Thank you!

Based on the returned MS code see the following Error code 0x80070005 means Access denied and it usually occurs because of lack of permissions. I would verify that the service account has the correct permissions applied to it.

Hi @mpotti,

Our team has verified that the service account used has the required permissions.

Have you verified that the password that IDN is setting meets your domain’s complexity requirements?

Hi @WyssAJ01,

Yes, the password being set on AD matches the complexity criteria

In the services control panel, is IQ service running as “local system” or is it running as your service account? I found that you’ll need to run it as the service account for administrative actions like this to happen.

Hi @WyssAJ01,

We have tried both - it results in the same error.

Can you share the account request and also is AD account getting created or no? I remember seeing this error in the past and I suspect that this is not related to password. I would suggest to review the account request.

I have seen this error couple of times.

From experience, I would say do not rely on the error. I mean don’t think that issue is with Password only. It can be other attribute as well, for example UPN. Without UPN (missing value or uniqueness) you cannot create account in AD.

Some attribute is missing or failing.

1. Check if account is created or not, though it gives error (I guess it is created partially, I experienced it many times)
2. See the provisioning activity in IDN, take that data. Login to IQ service server, create PowerShell script to create AD account using the data from IDN. Run this PowerShell script using service account used in AD Source, you will get exact error.

Thanks
Krish

@ksbagade did you ever figure out the root cause of this problem or are you still working on it?

Hi Karthik,

We are also getting same Error during creation of AD.

Did you find any root cause of above issue ?

We also got the same error and the issue which was identified was that the password of admin user was expired. We updated the password and it started working again.

Hi,

The issue was resolved after an extensive troubleshooting checklist. From what @RAKGDS has shared, that might have been the most probable issue.

Thank you.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.