Active directory unable to remove ad groups during disable operation

Hello,

I am looking to get some assistance on a recent issue I have encountered with bulk group removal of on prem active directory group membership.

Last Friday, the service account password “Active Directory” connector was reset. Ever since that change, sailpoint is unable to remove groups from user’s ad account when an identity lifecycle state changes from active to terminated. This was working perfectly fine until the password reset for service accounts.

Error received:

[“Error(s) reported back from the IQService - Error occurred while setting group membership CN\u003dDomain Users,CN\u003dUsers,DC\u003dphreesia,DC\u003dcom. The server is unwilling to process the request. The server is unwilling to process the request. 0000055E: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data 0 0000055E: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data 0 . HRESULT:[0x80072035]”]

Troubleshooting:

I have looked at sailpoint KB articles pointing to password complexity issues: - We then reset the password again for the service account using 26 characters, 1 upper case, 1 digit and 1 special character minimum. It still failed and threw the same error.

It is happening to all users. It is impacting our leavers workflow where sailpoint is not removing ad groups for departed users.

It does work when I send a revoke entitlement request via access request center for a group.

Note: We have a termination workflow where accounts are disabled and password is reset and all groups get removed which stopped working after the changes.

The error “The server is unwilling to process the request“ comes from Active Directory and as you said it was working earlier, you can check the below details from target system (AD team)

1. Check whether any recent permission change for AD service account
2. Check the current password policy whether your password value is violating it
3. Check any attribute(s) are deleted in AD which you are trying to provisioning
4. Check any attribute value goes with incorrect data format

Hello,

ISC won’t be able to remove default AD group “Domain Users“. Here is another post discussing the same issue, https://developer.sailpoint.com/discuss/t/provisioning-issue-for-ad/86881

Best,
Vikram

I am not using a before provisioning rule so I am not sure why this is causing an issue now after password reset. This was working fine before the password reset.

I validated those. All seems to be unchanged and correct

I’m would still looking at the target system, check whether they have DC load balancer and the password change replicated to all DCs. Also verify your Workflow whether any references on svc account which may needed a new password.

So it works for a single group removal via access request center. It fails for bulk removal of groups.

My thought process is it could be failing because of domain users group error and the subsequent groups are not getting removed as well.

Absolutely! You should ignore the Domain user group since SailPoint cannot remove it.

In group search scope in the source config, I applied this ldap filter (&(objectCategory=group)(!(cn=Domain Users)))

and that filter did not filter out domain users. odd.

It won’t filter out that. How are you removing the groups without before provisioning rule ?

I am using a workflow and certfication campaign revoke action to remove all groups!

It did filter out looks like. Sailpoint UI seems to be slow in displaying correctly.

It did filter out looks like. Sailpoint UI seems to be slow in displaying correctly.

After filtering out, it appears to no longer throw the error. I will be monitoring for few more days