AD Accounts Creation with empty values

Hello All,

We are facing strange behavior while creating AD accounts.

The connector was working properly and was creating the AD accounts with the correct mapped attributes, suddenly yesterday we found that the user is created in the correct OU but with empty values.

We changed the create account policy to use static values but also it did not reflect on AD accounts.

Below is the provisioning policy for reference.

{
“name”: “Account”,
“description”: null,
“usageType”: “CREATE”,
“fields”: [
{
“name”: “ObjectType”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “User”
}
},
“attributes”: {
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “sAMAccountName”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “$(firstname).$(lastname)”,
“cloudMaxUniqueChecks”: “50”,
“cloudMaxSize”: “20”,
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “displayName”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “displayName”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “manager”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “managerId”
}
},
“attributes”: {
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “mail”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “$(firstname).$(lastname)@domain”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “userPrincipalName”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “$(firstname).$(lastname)@domain”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “password”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Password”
}
},
“attributes”: {
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “secret”,
“isMultiValued”: false
},
{
“name”: “givenName”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “firstname”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “sn”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “lastname”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “IIQDisabled”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: “false”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “description”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “jobTitle”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “extensionAttribute7”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “uid”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “telephoneNumber”,
“transform”: {
“type”: “identityAttribute”,
“attributes”: {
“name”: “phoneNumber”
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “distinguishedName”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique Account ID”
}
},
“attributes”: {
“template”: “CN=$(firstname).$(lastname),$(activeParentOu)”,
“cloudMaxUniqueChecks”: “50”,
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “pwdLastSet”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “primaryGroupDN”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msNPAllowDialin”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “homeMDB”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “mailNickname”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “shadowAccountDN”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msExchHideFromAddressLists”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
},
{
“name”: “SipAddress”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “SipDomain”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “SipAddressType”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msNPCallingStationID”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msRADIUSCallbackNumber”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msRADIUSFramedRoute”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msRADIUSFramedIPAddress”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “RegistrarPool”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “dNSHostName”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msDS-SupportedEncryptionTypes”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msDS-ManagedPasswordInterval”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msDS-GroupMSAMembership”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “msDS-AllowedToActOnBehalfOfOtherIdentity”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “servicePrincipalName”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
},
{
“name”: “externalEmailAddress”,
“transform”: null,
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
}
]
}

This usually happens on update process during creation of account. The question is how the provisioning happens from IQService ?

1. Using the create policy an object with required attributes will be create in AD through LDAP protocols.
2. Once the object will be created the other attribute like email, membership, sip, manager (additional parameters) will be updated through LDAP protocols.

In your cases due to a duplicate unique attributes might be causing problem updating the attributes in point 2 above. However, make sure that samaccount, email, upn , sip’s etc are not duplicated with any other accounts in entire AD systems not only in the OU you are aggregating.

Solution : Use a transform on emails, samaccountName etc to evaliate uniqueness of the value cross directory. Below page can help you check uniqueness in sources.

Check in account activity for the same user, if there is an error “Account created but failed to modify”

You need to check unique values like SamAccountName and UPN. If uniqueness failed then account will create with empty values.

DN will not be duplicate, if it is duplicate then you will get an error that Object already exists.

Thanks
Krish

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.