AD Create account failled After script returned non zero exit code : -1 :

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

while createing AD account below error I am getting and I checked policy and utils and IQService folder permissions.

Account created but failed to modify : Failed to update attributes for identity CN=test,OU=South,OU=Employees,OU=Users and Groups,DC=test,DC=ad,DC=pvt. There is no such object on the server.

Create operation is successful but post script execution failed : After script returned non zero exit code : -1 :

below is rule that we are using

$logDate = Get-Date -UFormat "%Y%m%d%H%M%S"
$logFile = "C:\Sailpoint\logs\ConnectorAfterCreateAD_$logDate.log"
$command = "C:\Sailpoint\Scripts\ActiveDirectory_ConnectorAfterCreate.ps1"
$lockFile = "C:\Sailpoint\Scripts\lockfile.lock"
$enableDebug = $true

#====================-------Helper functions-------====================
function LogToFile([String] $info) {
    $info | Out-File $logFile -Append
}

function WaitForLock {
    while (Test-Path $lockFile) {
        Start-Sleep -Seconds 1
    }
}

# Function to create a lock file
function CreateLock {
    New-Item -Path $lockFile -ItemType File -Force
}

# Function to remove the lock file
function RemoveLock {
    Remove-Item -Path $lockFile -Force
}

# Function to execute a user task
function ExecuteTask {
    param (
        $command ,
        [int]$delaySeconds = 3
    )
    
    $success = $false
    while (-not $success ) {
       
        try {
            
    WaitForLock
    CreateLock

    try {
            Add-type -path utils.dll;
            $sReader = New-Object System.IO.StringReader([System.String]$env:Request);
            $xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
            $requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
            $requestAsString = $env:Request
            if($enableDebug) {
                LogToFile("Request as XML object is: $requestAsString")
            }
             # Execute the task
        $command = -join ($command, " -requestString '$requestAsString'")
        Invoke-Expression $command
        $success = $true
    } finally {
        # Release the lock
        RemoveLock
    }
} catch {
    $ErrorMessage = $_.Exception.Message 
    $ErrorItem = $_.Exception.ItemName
    LogToFile("Error: Item = $ErrorItem -> Message = $ErrorMessage")
    LogToFile "Attemp failed"
    
}
    }
}
# Example usage

#====================-------Get the request object-------====================
Try{
            if($enableDebug) {
                LogToFile("Entering SailPoint rule")
            }
           LogToFile "Call the client script"
            Start-Sleep -Seconds 5
            ExecuteTask -command $command 

    }
   
    
    

Catch{
    $ErrorMessage = $_.Exception.Message 
    $ErrorItem = $_.Exception.ItemName
    LogToFile("Error: Item = $ErrorItem -> Message = $ErrorMessage")
}

if($enableDebug) {
    LogToFile("Exiting SailPoint rule")
}
2

Any help on the above issue?

3

Can you share your ActiveDirectory_ConnectorAfterCreate.ps1?

Alicia

4

Hi Gayathri,

“Account created but failed to modify : Failed to update attributes for identity CN=test,OU=South,OU=Employees,OU=Users and Groups,DC=test,DC=ad,DC=pvt. There is no such object on the server.”

Based on this error message it looks like you are trying to set value to an AD attribute which is not supported. Can you validate if you are passing the correct value. You can check what values SailPoint is sending from the search and try to set them directly and see if it allows.

Thanks,
Uday

5

It seems you are facing two errors on this. The first being “Account created but failed to modify : Failed to update attributes for identity CN=test,OU=South,OU=Employees,OU=Users and Groups,DC=test,DC=ad,DC=pvt. There is no such object on the server.” which is related to AD not being able to locate this group and cannot add it during the create.

The second being an issue with the script. I don’t initially see anything wrong with the after script supplied, but it is invoking the “ActiveDirectory_ConnectorAfterCreate.ps1” which could be the culprit to the non-zero exit code. Can you please share this code?

Are you able to see any exceptions output in the log file for the After Script?

It may not be the issue, but can you try to do an “Add-Type” for the “Utils.dll” with the explicit file path C:\Sailpoint\IQService\Utils.dll?

6

Out of two error I found one that is realted manager and it resloved.

Now I am getting Create operation is successful but post script execution failed : After script returned non zero exit code : 1 :

Below is the Powershell script and same script it is working in the sandbox.


param (
    [Parameter(Mandatory = $true)][System.String]$requestString
)
Add-Type -Path "C:\Sailpoint\IQService\Utils.dll"
Import-Module activeDirectory
$org = 'uch-sb'
$configFile = "C:\Sailpoint\Scripts\config.json"
$query="*"
$logDate = Get-Date -UFormat "%Y%m%d%H%M%S"

#$logDate = Get-Date -UFormat "%Y%m%d"
$logFile = "C:\Sailpoint\logs\ADConnectoryAfterCreateLogs\ADConnectoryAfterCReate$logDate.txt"



$enableDebug = $true

function LogToFile([String] $info) {
    try {
        if ($enableDebug) {
            $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
            "$FormattedDate $info" | Out-File $logFile -Append
        }
    }
    catch {
        continue
    }
}

LogToFile "Before Protected Code"
try {
    ##########################
    # Begin SailPoint protected code -- do not modify this code block
    #
    $sReader = New-Object System.IO.StringReader([System.String]$requestString);
    LogToFile $($sReader)
    $xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
    LogToFile $($xmlReader)
    $requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
    LogToFile $($requestObject)

if ($requestObject.operation -ne "Create") {
    Exit
}
$series = 1050001..1099999

$startNumber = 10000000 
$counter=0
$numIncrements = 73232201
function Generate_Series_Twelve {
    
$Exchange12 = Get-Random -InputObject $series
return $Exchange12
    
}
function Generate-Series {
    param (
        [int]$start,
        [int]$increments,
        [int]$counter
    )

    
    $randomIndex = Get-Random -Minimum $start -Maximum $increments
      LogToFile "random Index:$randomIndex"
    return $randomIndex

}
function CheckDuplicates_Twelve {
    $seriesArrayTwelve=Generate_Series_Twelve 
    $users_AD_Twelve = Get-ADUser -Filter {(extensionAttribute12 -eq $seriesArrayTwelve)}  -SearchBase "OU=UCHealth Employees,OU=Users and Groups,DC=uch,DC=ad,DC=pvt" 
    if (!$users_AD_Twelve ){
		LogToFile "Attribute number is unique"
        $msExchAtrr12 = $seriesArrayTwelve
    }
    else{
        $msExchAtrr12=CheckDuplicates_Twelve

    }
    return $msExchAtrr12
    
}
function checkDuplicates{
    $seriesArray = Generate-Series -start $startNumber -increments $numIncrements 
        $users_AD = Get-ADUser -Filter {(msExchExtensionAttribute19 -eq $seriesArray)}  -SearchBase "OU=UCHealth Employees,OU=Users and Groups,DC=uch,DC=ad,DC=pvt" 

    if (!$users_AD ){
		LogToFile "Attribute number is unique"
        $msExchAtrr19 = $seriesArray
    }
    else{
        $msExchAtrr19=checkDuplicates

    }
    return $msExchAtrr19
    #LogToFile "msexchag in function:  $msExchaattr19"
}

 foreach($item in $requestObject.AttributeRequests){
    if (($item.Name -eq "sAMAccountName" )) {
        $samAccountName=$item.Value 
		LogToFile "$samAccountName"
       
	   }
    if ($item.Name -eq "startDate") {
        $startDate = $item.Value
        LogToFile "$startDate"
    }
    if ($item.Name -eq "msExchExtensionAttribute16") {
        $msExchExtensionAttribute16 = $item.Value
        LogToFile "$msExchExtensionAttribute16"
    }
    if ($item.Name -eq "msExchExtensionAttribute17") {
        $msExchExtensionAttribute17 = $item.Value
        LogToFile "$msExchExtensionAttribute17"
    }
	if ($item.Name -eq "OU") {
        $OU = $item.Value
        LogToFile "$OU"
    }
	   
 }
 $createdUsersFile ="C:\Sailpoint\CsvResults\Creates.csv"
 
    $users = @()
 
    if (Test-Path $createdUsersFile) {
        $users += Import-Csv -Path $createdUsersFile  
    }
    $users += [PSCustomObject]@{
       "startDate"=$startDate
       "samAccountName"=$samAccountName
       "msExchExtensionAttribute16"=$msExchExtensionAttribute16
       "msExchExtensionAttribute17"=$msExchExtensionAttribute17
	   "OU"=$OU
       
    }
    LogToFile("Adding $samAccountName to CreatedUsers.csv")
    $users | Export-Csv -NoTypeInformation -Path $createdUsersFile
    
    $msExchExtensionAttribute19=checkDuplicates
    $ExtensionAttribute12=CheckDuplicates_Twelve
    LogToFile "msexchag19:  $msExchExtensionAttribute19"
    LogToFile "msExcag12: $msExchExtensionAttribute12"
	$users = Get-ADUser -Filter { (SamAccountName -eq $samAccountName) } -SearchBase $OU 
    LogToFile "$users"
    if ($users) {
   
        LogToFile "User Found"
        Set-ADUser -Identity $users -Replace @{'msExchExtensionAttribute19' = $msExchExtensionAttribute19 }
        Set-ADUser -Identity $users -Replace @{'extensionAttribute12' = $ExtensionAttribute12 }

   }
   else{
	   LogToFile "USerNot found"
   }
   
}

catch {
    $ErrorMessage = $_.Exception.Message
    $ErrorItem = $_.Exception.ItemName
    LogToFile("Error: Item = $ErrorItem -> Message = $ErrorMessage")
}
7

Hi @gayare

How are you creating the user in AD via role assignment or access profile. I also observed similar scenario long back when i was trying to create the account in AD using Access profile and that time ISC was not able to locate the account. So we switched the logic to create the accounts via Role instead of the Access profile or Entitlement and that is working for our case.
That is because, after role assignment is successful there is identity refresh task that takes place and update the identity with account information.

Another option for you could be that when you are modifying the object, in that script instead of trying to search the identity with DN, please try to search it with samAccountname or some other unique identifier such that you can check if the user is already created or not. Something like below and if the identity is found, then you can get the DN of the user and update it according to the provisioning plan.

$user = Get-AdUser -filter "employeeNumber -eq "111111" 
if($user) {
$dn = $user.distinguishName
---update the user ----
}
else{
wait for 1 minute and then try reading user again 

}

Of course there is also another possibility if you are using multiple DC then replication is taking time. So please make sure you are using same DC url in both after create and after modify script.

I hope this helps.

Regards
Vikas.

1 Like
9

we found the issue. we have copied all the PS scripts from our test server to Prod server the scripts is blocked. Once we unblocked it started working.

10

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.