AD Create Account - sAMAccountName not unique

mnapoli · June 3, 2025, 1:03pm

Hi all,

I’m encountering an issue in SailPoint Identity Security Cloud (ISC) where multiple Active Directory accounts are being provisioned with duplicate sAMAccountName values, despite using $(uniqueCounter) to ensure uniqueness. This is happening during role-based provisioning (birthright access).

Configuration Details

Accounts are provisioned automatically via role membership.
I’ve defined a custom identity attribute:
samaccountcreationlogic = first letter of givenName + surname
(e.g., John Smith → jsmith)
In the Create Account provisioning policy for AD, the sAMAccountName is configured as:

$(samaccountcreationlogic)$(uniqueCounter)

So I’d expect something like:

jsmith1
jsmith2
etc.

Issue

Despite this logic, AD account creation fails with duplicate sAMAccountName values (e.g., multiple attempts with just jsmith). This results in the following error returned from IQService:

Exception occurred while executing the RPCRequest: Errors returned from IQService. 
"The object already exists. The object already exists. 
00000524: UpdErr: DSID-031A11F8, problem 6005 (ENTRY_EXISTS), data 0 
00000524: UpdErr: DSID-031A11F8, problem 6005 (ENTRY_EXISTS), data 0 
. HRESULT:[0x80071392] 
For identity: <Identity_Name>"

It looks like $(uniqueCounter) is either not being evaluated, or not incrementing during the role-based provisioning flow.

What I’ve Verified

samaccountcreationlogic is populated correctly and consistently.
The same logic works correctly when provisioning via Access Requests.
The AD source’s Create Account configuration is mapped as expected.

Questions

Is $(uniqueCounter) officially supported in role-triggered provisioning flows?
Are there known limitations with dynamic expressions (like transforms or counters) in Create Account templates during automated provisioning?
Would shifting this logic into a Before Provisioning rule be a better approach to ensure runtime uniqueness?

Any advice or insight would be greatly appreciated — especially if others have faced this behaviour in automated provisioning scenarios.

Thanks in advance!

—Matt

RAKGDS · June 3, 2025, 1:11pm

Hi Matt,
Please check if you have cloudRequired=true in your Create Account Provisioning Policy.

“attributes”: {
“template”: “$(samaccountcreationlogic)$(uniqueCounter)”,
“cloudMaxUniqueChecks”: “50”,
“cloudMaxSize”: “20”,
“cloudRequired”: “true”
}

It should be something like above. Please add it and try to Provision the issue should get fixed.

Thanks

j_place · June 3, 2025, 1:38pm

Hi @mnapoli

3 questions:

Are you using the Create Unique LDAP Attribute generator?
Have you aggregated accounts from the source?
Is the conflicting existing jsmith in the scope of your connector?

mnapoli · June 3, 2025, 2:07pm

Hi Rakesh,
Yes I have it configured as such.

        {
            "name": "sAMAccountName",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Create Unique LDAP Attribute"
                }
            },
            "attributes": {
                "template": "$(samaccountnamecreationlogic)$(uniqueCounter)",
                "cloudMaxUniqueChecks": "50",
                "cloudMaxSize": "20",
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

j_place · June 3, 2025, 2:09pm

Apols, I jumped straight in with my questions.

As to your questions: AFAIK:

Yes
No
No (based on the 2 answers above)

2 more questions from me, though, if I may:

When you say role-triggered provisioning flows: Is it Role > AP > Entitlement?
When you say access request works, is that for a role, AP or Entitlement?

mnapoli · June 3, 2025, 2:10pm

Hi Jeremy,
Yes I am using the Create Unique LDAP Attribute generator. Also I have aggregated accounts from the source (active directory), and yes ‘jsmith’ is in scope of the connector.

j_place · June 3, 2025, 2:20pm

I’m sure its probably a typo, but you’ve got

samaccountnamecreationlogic

in the transform, and

samaccountcreationlogic

in the post?

j_place · June 3, 2025, 2:46pm

Hi Matt - also something else to check. Are you sure it’s the sAMAccountName causing the problem? AFAIK, you would get the same error if UPN or DN were clashing.

mnapoli · June 8, 2025, 1:48am

Hi Jeremy, apologies for the late response here are my answers:

When you say role-triggered provisioning flows: Is it Role > AP > Entitlement?
Currently it is Role > Entitlement. No AP configured.
When you say access request works, is that for a role, AP or Entitlement?
Apologies please ignore the access request part of the post. These roles are not requestable (since they are birthright) and have not been tested / implemented for user access requests.

mnapoli · June 8, 2025, 1:50am

Also this is the transform to evaluate the samaccountname for an identity:
“name”: “PVT-SamAccountNameCreationLogic”,
“type”: “static”,
“attributes”: {
“fname”: {
“attributes”: {
“input”: {
“attributes”: {
“name”: “preferredName”
},
“type”: “identityAttribute”
},
“regex”: “[^a-zA-Z0-9]”,
“replacement”: “”
},
“type”: “replace”
},
“lName”: {
“attributes”: {
“input”: {
“attributes”: {
“name”: “lastname”
},
“type”: “identityAttribute”
},
“regex”: “[^a-zA-Z0-9]”,
“replacement”: “”
},
“type”: “replace”
},
“value”: “$fname.substring(0,1).toLowerCase()$lName.toLowerCase()”
},
“internal”: false
}

JackSparrow · June 8, 2025, 4:25am

Hi @mnapoli ,

Can you check account activity in search tab for this user and see what value is being pushed for “samAccountName” during create? Is that having $(uniqueCounter)?

j_place · June 8, 2025, 11:01am

Hi @mnapoli

Can you confirm that the Identity Attribute you use for the sAMAccountName stub (or seed) is getting correctly populated and the attribute name that you use in the sAMAccountName transform is the “technical” name for that attribute? I see 3 different names used in this post: PVT-SamAccountNameCreationLogic, samaccountnamecreationlogic and samaccountcreationlogic. Bear in mind that the technical name is case specific.

Also, can you confirm that it is the sAMAccountName that is causing the issue with AD, ie the DN and UPN are not causing the object already exists message?

mnapoli · June 15, 2025, 7:40am

Hi All, thank you for your assitance with this topic of discussion. I believe the main problem with this issue I am facing is that in that I am trying to create accounts at the same time and SailPoint cannot interpret that two target accounts will have the same sAMAccountName/DN before being provisioned in the same batch of new identities in SailPoint. It has been made aware to me that this is a race condition when there are multiple accounts getting created at the same time and is difficult to avoid.