AD: Account created but failed to modify

I am getting error while creating AD (and MS exchange ) accounts. It seems that it tries to modify account which is not created yet.
Account created but failed to modify : Failed to update attributes for identity CN=1000000,OU=Users,OU=People,DC=activedir,DC=xu,DC=com. The specified directory service attribute or value does not exist.

After all account is created and entitlements are assigned:

adError1.log (28.1 KB)

Hi @kskendelis ,

Verify all the attributes present in the Provisioning Policy is added to the account or not. The issue seems like is because the attribute mentioned in the Provisioning Policy doesn’t exist in AD.

1 Like

2 / 2

I would begin by inspecting the account request to identify attribute values that are either invalid or prohibited, including a thorough examination of attributes like “samaccountname,” etc


Can it be something related to my actions, I trying to create and delete the same account.
I have tried to remove almost all additional attributes but it seems even basic attribute like givenName and sn is forbidden to commit.

Account created but failed to modify : Failed to update attributes for identity CN=1000000,OU=Users,OU=People,DC=activedir,DC=xx,DC=com. The server is unwilling to process the request.

Hi @kskendelis Could you check Provisioning Transactions of these operations?
Are you check IQservice logs? It would be possible provide these logs?


Logs have been added.

IQ_AD.log (47.5 KB)

Problem was some additional attributes while creating new account. I have tested creation one by one and removed those which failed. Now account created without any errors or exceptions .

same error I am getting during account creation. In my case I checked all attributes mentioned in provisioning policy exist in AD, still I am getting same error is there any other reason to get this error

can you share your request or plan?

Can you enable logging on the IQService on server neptunas-app ?

This log-file should contain the name of the failing attribute.

(My best guess would be IIQDisabled, but look at the iqtrace.log file)

For provisioning to AD over IQService, the IQService logging will provide more and better details compared to the IIQ log file.

– Remold

Hi @2135797,

Please create a new post by providing all the required information. This will help us to understand and track the issue better. As @Remold suggested please share the logs as well to further analyze the issue.