AD Provisioning Issue – Only Account ID and Account Name Mapping, Other Attributes Blank

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Community,

I am facing an issue while provisioning accounts in Active Directory (AD) using SailPoint IdentityNow. Only the Account ID (DN) and Account Name (sAMAccountName) are getting mapped successfully, but all other attributes are coming in blank in AD.

Current Setup:

  • DN → Mapped to ID
  • sAMAccountName → Mapped to Account Name
  • Other attributes (e.g., Title, Department, ManagerDN) are not getting populated
  • I have mapped all required attributes in the Create Account provisioning policy
  • Even static values set for attributes are showing as blank in AD

Troubleshooting Done:

:white_check_mark: Verified attribute mappings in Create Account policy
:white_check_mark: Confirmed that the attributes exist in the Account Schema
:white_check_mark: Checked the provisioning logs, but no errors related to attribute mapping
:white_check_mark: Ran a test by setting a static value, but the attribute still remains blank

Questions:

  1. Why are only Account ID and Account Name getting provisioned while other attributes remain blank?
  2. Are there any additional configurations needed to ensure all attributes are populated in AD?

Would appreciate any insights or troubleshooting steps.

1 Like
2

Does the AD service account have read permission to those attributes? (e.g. How was the service account configured with the required permissions?) …Is there any specific ACL in the environment preventing the read of those attributes? You have a hardened AD environment?

“but the attribute still remains blank” → Where are you seeing them as blank? ADUC (?), what is it running as?

3

You get this behavior usually when you are supplying an invalid value to an attribute at AD or the AD service account doesn’t have permission to set some attribute(s).

4

Both comments have good suggestions/ideas.

It might be a good idea to use the service account and test creating an account in PowerShell, that might give you an idea if it’s a permissions issue.

It might also be a good idea to adjust the order of attributes in the create policy, because if one attribute is failing like @KRM7 said, the rest of the attributes won’t populate. Start with ones you know work without error, then simple ones, etc.

5

Thanks for your response.

The attribute has been updated; it takes approximately 3-6 hours for the changes to reflect.

1 Like
6

Thanks for your response.

The attribute has been updated; it takes approximately 3-6 hours for the changes to reflect.

1 Like
7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.