AD account is created but attributes are not updated properly

Hey Guys,

I have done the provisioning successfully before as well with same number of attributes in prov policy and it was successfull but now i got the error below


any idea why ? please help

Hello @Rakesh_Singh_1234,

The best option on an AD source is by checking the IQService logs.

Another way to verify wich attribute is failing is trying with the minimun Attrbiutes and adding one by one.

Regards,
Pablo

hey @pablonovoa but it there any way to find any details of the attributes oN UI TENANT that are failing i can just see red dot in front of attributes in account acvtivity but no details

No, actually there is no way to find which attribute is failing. I hope it is on the future because sometimes we are not able to log into the IQService Machines or Virtual Appliances.

REgards,
Pablo

Hi @Rakesh_Singh_1234,

Can you check from search and provide the Account Activity and Events for the particular user.

Thank you!

yes they should provide a “i” BUTTON in front of failed attributes that should have a 2 -3 liner error details of why that attribute failed on the sailpoint ui tenant itself. they should introduce that button as an update

@Abhishek_1995 i chechked but the main problem is that initially got one user created successfully with same number of attributes in create policy and now with same number of attributes only i provisioned one more user but it is showing that some atttributes arent updated properly not able to understand :worried:

@Rakesh_Singh_1234 Have you check the what ever the value you are passing for the user its there or not?

If there is any issue with one of the attributes in Provisioning Plan (like no matching attribute found on AD side) then rest of the attributes will be skipped even if they match. Check your Create Account profile and see if there is any attribute included there which does not exist on AD side

@iamnithesh thanks nitesh one more query is it happening becasue i set the password in AD create policy as static as of now ?

and by matching attribute u mean the existing account in AD should have the same value for that attribute as per our provisioning for example :

if userprincipalname in AD existing account is [email protected] and we are only mapping UPN with userid directly in create account then also it will have some issues>??

  1. Check whether any AD account attribute changed/deleted in AD after your first successful provisioning
  2. Compare the values of both accounts’ (success & failed account) attributes and see what is the difference. You may get to know which attribute causing the error
  3. It could be the password attribute which may not matches the AD’s password policy. As you said, the second account should get passed since you used static and the password will be same for both the accounts.
    Did you change the password policy of AD source between the provisioning of 2 accounts?

yes i just now checked and now again failing got this error in event for modify

[“Error(s) reported back from the IQService - Failed to update attributes for identity CN\u003dyuzuzki\, ALVIN(A),OU\u003dContractors,OU\u003dxyz Users,DC\u003dDevxyz,DC\u003dcom. A constraint violation occurred.\n”]

This error is due to the violation of an attribute in AD source side. Try to identify the attribute which you may pass the violated value. One way to check this is to add the attribute one by one in the provisioning plan and check the failure. Or if you have a direct access to AD, add the value directly into an attribute in an AD account and test it.

I meant to say all attribute names in your Create Account Profile should have a matching attribute name in AD

Constraint violation errors are usually because of an empty password or an invalid value to one of c, co, or countryCode.