Hi Emanuele -
Thanks for taking the time to reply to my post!
I have tried it with the OU, but I still see the same issue.
distinguishedName = “CN=”+dnNewName+“,OU=Users,DC=RGLab,DC=local”;
I tried hardcoding DN value as well, the same issue.
Documents:
IdentityRequest:
0000000100.xml (49.2 KB)
Joiner Workflow:
Lifecycle Event - joiner Test.xml (14.8 KB)
AD App Definition:
Active Directory.xml (42.3 KB)
Error Exception occurred while executing the RPCRequest: Errors returned from IQService. “Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]”
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Workflow PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Workflow created="1734283286239" explicitTransitions="true" id="0a00004693ca13fd8193cb56d6df03de" libraries="Identity" modified="1734291148850" name="Lifecycle Event - joiner Test" significantModified="1734291148850" type="IdentityLifecycle">
<Variable input="true" name="trigger">
<Description>The IdentityTrigger</Description>
</Variable>
<Variable input="true" name="event" transient="true">
<Description>
The IdentityChangeEvent. It can be used to build
the provisioning plan, but does not need to be
persisted with the case, so marked as transient.
</Description>
</Variable>
<Variable input="true" name="identityName">
<Description>The name of the identity.</Description>
</Variable>
<Variable name="identityDisplayName">
<Script>
<Source>
import sailpoint.object.Identity;
Identity identity = context.getObjectByName( Identity.class, identityName );
if( identity != null )
{
return identity.getDisplayName() ;
}
</Source>
</Script>
</Variable>
<Variable initializer="string:Joiner" name="flow">
<Description>The name of the identity.</Description>
</Variable>
<Variable initializer="LCM" input="true" name="source">
<Description>
String version of sailpoint.object.Source to indicate
where the request originated. Defaults to LCM.
</Description>
</Variable>
<Variable input="true" name="plan">
<Description>The provisioning plan, which is built by a service
method.
</Description>
</Variable>
<Variable editable="true" initializer="false" name="optimisticProvisioning">
<Description>
Set to true to enable optimistic provisioning. This will cause
changes to the entitlements compiled from role assignments to be
applied immediately to the identity cube rather than waiting
for the next refresh/reaggregation after the provisioning system
completes the request.
</Description>
</Variable>
<Variable editable="true" initializer="true" name="foregroundProvisioning">
<Description>
Normally provisioning is done in a step that uses the "background"
option to force the workflow to be suspend and be resumed in a
background task thread. This prevents the browser session from
hanging since provision can sometimes take a long time. For demos
and testing it can be better to do this in the foreground so that
provisioning will have been performed when control is returned to the
user. This prevents having to run the Perform Maintenance task to
see the results of the request.
</Description>
</Variable>
<Variable initializer="spadmin" input="true" name="fallbackApprover">
<Description>
A String that specifies the name of the Identity that will
be assigned any approvals where the owner of the approver
can't be resolved. Example if the scheme is "owner" and the
application doesn't specify and owner.
</Description>
</Variable>
<Variable initializer="LCM" input="true" name="source">
<Description>
String version of sailpoint.object.Source to indicate
where the request originated. Defaults to LCM.
</Description>
</Variable>
<Variable initializer="true" input="true" name="trace">
<Description>
Used for debugging this workflow and when set to true trace
will be sent to stdout.
</Description>
</Variable>
<Variable name="project">
<Description>
ProvisioningProject which is just a compiled version of the ProvisioningPlan.
</Description>
</Variable>
<Variable name="identityRequestId" output="true">
<Description>
The sequence id of the Identity request object which is stored in
the name field of the identity request.
</Description>
</Variable>
<Variable name="cart" output="true">
<Description>
This variable includes all ApprovalItems that are part of
the request process and is updated during the AfterScript
of the approval process by assimilating the decisions
and comments from the Approvals copy of the ApprovalItem.
</Description>
</Variable>
<Variable initializer="Normal" input="true" name="workItemPriority">
<Description>
The String version of a WorkItem.Priority. This variable is
used to set the priority on all of the workitems generated
as part of this workflow and also set on the IdentityRequest
object.
</Description>
</Variable>
<Description>Disable all accounts when an employee leaves the company.</Description>
<RuleLibraries>
<Reference class="sailpoint.object.Rule" id="c0a801be8e161c14818e162d978a019d" name="LCM Workflow Library"/>
</RuleLibraries>
<Step icon="Start" name="Start" posX="28" posY="10">
<Transition to="Build Plan"/>
</Step>
<Step icon="Message" name="Build Plan" posX="98" posY="10" resultVariable="plan">
<Description>Go through all of the user's links and build a plan.</Description>
<Script>
<Source>
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningResult;
import sailpoint.api.SailPointContext;
import sailpoint.object.Identity;
import sailpoint.tools.GeneralException;
import sailpoint.tools.Util;
import sailpoint.api.Provisioner;
import org.apache.log4j.Logger;
ProvisioningResult result = new ProvisioningResult();
log.debug("Initialized ProvisioningResult");
ProvisioningPlan plan = new ProvisioningPlan();
log.debug("Initialized ProvisioningPlan");
// Initialize logger
Logger log = Logger.getLogger("BirthrightJoinerRule");
log.debug("*********************************************************************");
log.debug("********* Entering Joiner Workflow ************");
log.debug("*********************************************************************");
//try {
// Retrieve the identity name from the event
String identityName = event.getObject().getDisplayableName();
log.debug("New user entered the system:----------------- " + identityName);
// Get the identity object from the context
Identity identity = context.getObjectByName(Identity.class, identityName);
log.debug("Retrieved identity: " + identity);
if (identity == null) {
log.debug("Identity value: " + identity);
throw new GeneralException("Identity is null");
}
String region = (String) identity.getAttribute("region");
log.debug("User region: " + region);
plan.setIdentity(identity);
plan.setNativeIdentity(identityName);
log.debug("ProvisioningPlan initialized and identity set");
log.debug("*** \n The Provisioning Plan being passed in = \n*\n*\n*\n" + plan.toXml() + "\n**************************");
AccountRequest accountRequest = new AccountRequest();
accountRequest.setOperation(AccountRequest.Operation.Create);
accountRequest.setApplication("Active Directory");
accountRequest.setNativeIdentity(identity.getName());
log.debug("AccountRequest initialized: " + accountRequest);
// Add sAMAccountName attribute
String samAccountName = (String) identity.getName();
accountRequest.add(new AttributeRequest("sAMAccountName", ProvisioningPlan.Operation.Set, samAccountName));
log.debug("Added sAMAccountName attribute: " + samAccountName);
// Add other attributes as needed
String userPrincipalName = (String) identity.getAttribute("email");
accountRequest.add(new AttributeRequest("userPrincipalName", ProvisioningPlan.Operation.Set, userPrincipalName));
log.debug("Added userPrincipalName attribute: " + userPrincipalName);
String givenName = (String) identity.getAttribute("firstname");
accountRequest.add(new AttributeRequest("givenName", ProvisioningPlan.Operation.Set, givenName));
log.debug("Added givenName attribute: " + givenName);
String sn = (String) identity.getAttribute("lastname");
accountRequest.add(new AttributeRequest("sn", ProvisioningPlan.Operation.Set, sn));
log.debug("Added sn attribute: " + sn);
String displayName = identity.getDisplayName();
accountRequest.add(new AttributeRequest("displayName", ProvisioningPlan.Operation.Set, displayName));
log.debug("Added displayName attribute: " + displayName);
String mail = (String) identity.getAttribute("email");
accountRequest.add(new AttributeRequest("mail", ProvisioningPlan.Operation.Set, mail));
log.debug("Added mail attribute: " + mail);
// Determine the organizational unit (OU) based on the region and construct the DN
String dnNewName = displayName.replace("."," ");
String distinguishedName;
if (Util.nullSafeEq(region, "Americas")) {
distinguishedName = "cn="+dnNewName+",OU=Americas,DC=RGLab,DC=local";
log.debug("User is from the Americas region, setting distinguishedName to: " + distinguishedName);
accountRequest.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Add, "CN=" +dnNewName+",OU=Americas,DC=RGLab,DC=local"));
log.debug("Added memberOf attribute for region Americas");
} else {
distinguishedName = "CN="+dnNewName+",OU=Users,DC=RGLab,DC=local"; // Default DN
//distinguishedName = "CN=Howard Rose,OU=Users,DC=RGLab,DC=local";
//accountRequest.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Add, "CN=Howard Rose,OU=Users,DC=RGLab,DC=local"));
log.debug("Setting default distinguishedName to: " + distinguishedName);
}
log.debug(" default distinguishedName to afte else: " + distinguishedName);
accountRequest.add(new AttributeRequest("distinguishedName", ProvisioningPlan.Operation.Set, distinguishedName));
log.debug("Added distinguishedName attribute: " + distinguishedName);
plan.add(accountRequest);
log.debug("Added accountRequest to plan");
log.debug("n*\n* \n The Provisioning Plan being passed in = \n***\n" + plan.toXml() + "\n*\n*\n************************");
workflow.put("plan", plan);
/*} catch (GeneralException e) {
log.error("Error during Birthright Joiner Provisioning: " + e.getMessage(), e);
//result.setStatus(ProvisioningResult.STATUS_FAILED);
} catch (Exception e) {
log.error("Unexpected error: " + e.getMessage(), e);
//result.setStatus(ProvisioningResult.STATUS_FAILED);
}*/
return plan;
</Source>
</Script>
<Transition to="Initialize"/>
</Step>
<Step icon="Task" name="Initialize" posX="208" posY="10">
<Arg name="identityName" value="ref:identityName"/>
<Arg name="enableRetryRequest"/>
<Arg name="allowRequestsWithViolations"/>
<Arg name="endOnManualWorkItems"/>
<Arg name="policiesToCheck"/>
<Arg name="workItemPriority"/>
<Arg name="workItemComments"/>
<Arg name="source" value="ref:source"/>
<Arg name="violationReviewDecision"/>
<Arg name="policyScheme" value="none"/>
<Arg name="priority" value="ref:workItemPriority"/>
<Arg name="identityDisplayName" value="ref:identityDisplayName"/>
<Arg name="requireViolationReviewComments"/>
<Arg name="identityRequest"/>
<Arg name="trace" value="ref:trace"/>
<Arg name="enableApprovalRecommendations"/>
<Arg name="asyncCacheRefresh"/>
<Arg name="optimisticProvisioning" value="ref:optimisticProvisioning"/>
<Arg name="plan" value="ref:plan"/>
<Arg name="flow" value="ref:flow"/>
<Arg name="launcher" value="ref:launcher"/>
<Description>
Call the standard subprocess to initialize the request,
this includes
auditing, building the approvalset, compiling the plan
into
project and checking policy violations.
</Description>
<Return name="project" to="project"/>
<Return name="approvalSet" to="cart"/>
<Return name="identityRequestId" to="identityRequestId"/>
<Return name="policyViolations" to="policyViolations"/>
<WorkflowRef>
<Reference class="sailpoint.object.Workflow" id="c0a801be8e3a1bb1818e3aec893d002f" name="Identity Request Initialize"/>
</WorkflowRef>
<Transition to="Provision"/>
</Step>
<Step icon="Task" name="Provision" posX="318" posY="10" wait="-1">
<Arg name="approvalScheme" value="ref:approvalScheme"/>
<Arg name="identityName" value="ref:identityName"/>
<Arg name="fallbackApprover" value="ref:fallbackApprover"/>
<Arg name="approvalSet"/>
<Arg name="manualActionsEmailTemplate"/>
<Arg name="workItemComments"/>
<Arg name="workItemPriority"/>
<Arg name="project" value="ref:project"/>
<Arg name="identityRequestId"/>
<Arg name="policyScheme" value="ref:policyScheme"/>
<Arg name="splitProvisioning"/>
<Arg name="saveUnmanagedPlan"/>
<Arg name="foregroundProvisioning" value="ref:foregroundProvisioning"/>
<Arg name="noTriggers"/>
<Arg name="identityDisplayName" value="ref:identityDisplayName"/>
<Arg name="trace" value="ref:trace"/>
<Arg name="saveUnmanagedPlan_WithProjectArgument"/>
<Arg name="recompile"/>
<Arg name="optimisticProvisioning" value="ref:optimisticProvisioning"/>
<Arg name="plan"/>
<Arg name="launcher" value="ref:launcher"/>
<WorkflowRef>
<Reference class="sailpoint.object.Workflow" id="c0a801be8e3a1bb1818e3aec8a2e0032" name="Identity Request Provision"/>
</WorkflowRef>
<Transition to="Finalize"/>
</Step>
<Step catches="complete" icon="Task" name="Finalize" posX="420" posY="10">
<Arg name="trace" value="ref:trace"/>
<Arg name="autoVerifyIdentityRequest"/>
<Arg name="approvalSet" value="ref:cart"/>
<Arg name="ticketManagementApplication"/>
<Arg name="project" value="ref:project"/>
<Arg name="workItemPriority"/>
<Arg name="identityRequestId" value="ref:identityRequestId"/>
<Arg name="ticketDataGenerationRule"/>
<Description>
Call the standard subprocess that can audit/finalize the
request.
</Description>
<WorkflowRef>
<Reference class="sailpoint.object.Workflow" id="c0a801be8e3a1bb1818e3aec8a7d0033" name="Identity Request Finalize"/>
</WorkflowRef>
<Transition to="Stop"/>
</Step>
<Step icon="Stop" name="Stop" posX="514" posY="10"/>
</Workflow>
Failing Idenittiy Request:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE IdentityRequest PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<IdentityRequest completionStatus="Failure" created="1734453959357" endDate="1734454030915" executionStatus="Completed" id="0a00004693d516aa8193d5831abc0014" modified="1734454030918" name="0000000100" priority="Normal" requesterDisplayName="Scheduler" significantModified="1734454030918" source="LCM" state="End" targetClass="sailpoint.object.Identity" targetDisplayName="Howard.Rose" targetId="c0a801be8ee91882818eee4409010a2e" type="Joiner">
<Attributes>
<Map>
<entry key="approvalSummaries">
<value>
<List>
<ApprovalSummary completer="The Administrator" endDate="1734453992817" owner="spadmin" request="Complete provisioning form for Howard.Rose" startDate="1734453959925" state="Finished" workItemId="0a00004693d516aa8193d5831cb20015" workItemType="Form"/>
</List>
</value>
</entry>
<entry key="messages">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="provisionedProject">
<value>
<ProvisioningProject identity="Howard.Rose">
<Attributes>
<Map>
<entry key="disableRetryRequest">
<value>
<Boolean>true</Boolean>
</value>
</entry>
<entry key="identityRequestId" value="0000000100"/>
<entry key="optimisticProvisioning" value="false"/>
<entry key="requester" value="Scheduler"/>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
<MasterPlan>
<ProvisioningPlan nativeIdentity="Howard.Rose">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<AttributeRequest name="sAMAccountName" op="Set" value="Howard.Rose"/>
<AttributeRequest name="userPrincipalName" op="Set" value="[email protected]"/>
<AttributeRequest name="givenName" op="Set" value="Howard"/>
<AttributeRequest name="sn" op="Set" value="Rose"/>
<AttributeRequest name="displayName" op="Set" value="Howard.Rose"/>
<AttributeRequest name="mail" op="Set" value="[email protected]"/>
<AttributeRequest name="distinguishedName" op="Set" value="CN=Howard Rose,OU=Users,DC=RGLab,DC=local"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="identityRequestId" value="0000000100"/>
<entry key="requester" value="Scheduler"/>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</MasterPlan>
<ProvisioningPlan nativeIdentity="Howard.Rose" targetIntegration="Active Directory" trackingId="5e5113c887ea4cce8841dc0e6d00ef74">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
<AttributeRequest name="sAMAccountName" op="Set" value="Howard.Rose"/>
<AttributeRequest name="userPrincipalName" op="Set" value="[email protected]"/>
<AttributeRequest name="givenName" op="Set" value="Howard"/>
<AttributeRequest name="sn" op="Set" value="Rose"/>
<AttributeRequest name="displayName" op="Set" value="Howard.Rose"/>
<AttributeRequest name="mail" op="Set" value="[email protected]"/>
<AttributeRequest name="distinguishedName" op="Set" value="CN=Howard Rose,OU=Users,DC=RGLab,DC=local"/>
<AttributeRequest name="objectType" op="Set" value="User"/>
<AttributeRequest name="password" op="Set">
<Attributes>
<Map>
<entry key="secret" value="true"/>
</Map>
</Attributes>
</AttributeRequest>
<AttributeRequest name="IIQDisabled" op="Set">
<Value>
<Boolean></Boolean>
</Value>
</AttributeRequest>
<AttributeRequest name="msNPAllowDialin" op="Set" value="Not Set"/>
<ProvisioningResult status="failed">
<Errors>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</Errors>
</ProvisioningResult>
</AccountRequest>
<Attributes>
<Map>
<entry key="identityRequestId" value="0000000100"/>
<entry key="requester" value="Scheduler"/>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
<QuestionHistory>
<Question attributeName="objectType" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_objecttype" name="Question:0:objectType" postBack="true" priority="10" reviewRequired="true" template="Account" type="string" value="User">
<AllowedValuesDefinition>
<Value>
<List>
<String>User</String>
<String>Contact</String>
<String>msDS-GroupManagedServiceAccount</String>
<String>msDS-ManagedServiceAccount</String>
</List>
</Value>
</AllowedValuesDefinition>
<Attributes>
<Map>
<entry key="hidden">
<value>
<Script>
<Source>
Object objType = field.getValue();
if ("contact".equalsIgnoreCase(objType)) {
if (form.getSection("Dial-in") != null) {
form.remove(form.getSection("Dial-in"));
}
if (form.getSection("User Details") != null) {
form.remove(form.getSection("User Details"));
}
if (form.getSection("Skype for Business") != null) {
form.remove(form.getSection("Skype for Business"));
}
if (form.getSection("gmsa") != null) {
form.remove(form.getSection("gmsa"));
}
if (form.getSection("Exchange") != null && form.getSection("Exchange").getFields() != null ) {
for (Object field : form.getSection("Exchange").getFields()) {
String name = field.getName();
if (name != null && name.indexOf(":") > 0 ) {
String[] nameKeys = name.split(":");
if (nameKeys.length > 1 &&
"homeMDB".equalsIgnoreCase(nameKeys[2])){
field.setHidden(true);
}
}
}
}
}
else if ("msDS-GroupManagedServiceAccount".equalsIgnoreCase(objType)
|| "msDS-ManagedServiceAccount".equalsIgnoreCase(objType)) {
if (form.getSection("Dial-in") != null) {
form.remove(form.getSection("Dial-in"));
}
if (form.getSection("Skype for Business") != null) {
form.remove(form.getSection("Skype for Business"));
}
if (form.getSection("Exchange") != null) {
form.remove(form.getSection("Exchange"));
}
if (form.getSection("gmsa") != null) {
form.getSection("gmsa").setLabel("Service Account");
}
if (form.getSection("User Details") != null && form.getSection("User Details").getFields() != null ) {
for (Object field : form.getSection("User Details").getFields()) {
String name = field.getName();
if (name != null && name.indexOf(":") > 0 ) {
String[] nameKeys = name.split(":");
if (nameKeys.length > 1) {
if("password".equalsIgnoreCase(nameKeys[2])
|| "pwdLastSet".equalsIgnoreCase(nameKeys[2])
|| "primaryGroupDN".equalsIgnoreCase(nameKeys[2]) )
{
field.setHidden(true);
}
}
}
}
}
Object serviceAccSection = form.getSection("gmsa");
String dnsHostNameFieldName = null;
String pAllowedToRetrievPwdFieldName = null;
String pAllowedToDelegate = null;
String managePasswordInterval = null;
for (Object field : serviceAccSection.getFields()) {
String name = field.getName();
if( null != name) {
if( name.contains(":dNSHostName"))
dnsHostNameFieldName = name;
else if( name.contains(":msDS-GroupMSAMembership") )
pAllowedToRetrievPwdFieldName = name;
else if( name.contains(":msDS-AllowedToActOnBehalfOfOtherIdentity") )
pAllowedToDelegate = name;
else if( name.contains(":msDS-ManagedPasswordInterval") )
managePasswordInterval = name;
}
}
if ("msDS-GroupManagedServiceAccount".equalsIgnoreCase(objType))
{
if (null != dnsHostNameFieldName) {
Object dnsHostName = serviceAccSection.getField(dnsHostNameFieldName);
dnsHostName.setRequired(true);
}
}
else if ("msDS-ManagedServiceAccount".equalsIgnoreCase(objType))
{
if (null != dnsHostNameFieldName) {
Object dnsHostName = serviceAccSection.getField(dnsHostNameFieldName);
dnsHostName.setHidden(true);
}
if(null != pAllowedToRetrievPwdFieldName){
Object msDSGroupMSAMembership = serviceAccSection.getField(pAllowedToRetrievPwdFieldName);
msDSGroupMSAMembership.setHidden(true);
}
if(null != pAllowedToDelegate){
Object PrincipalsAllowedToDelegate = serviceAccSection.getField(pAllowedToDelegate);
PrincipalsAllowedToDelegate.setHidden(true);
}
if(null != managePasswordInterval) {
Object ManageIntervalField = serviceAccSection.getField(managePasswordInterval);
ManageIntervalField.setHidden(true);
}
}
}
else {
if (form.getSection("User Details") != null && form.getSection("User Details").getFields() != null ) {
for (Object field : form.getSection("User Details").getFields()) {
String name = field.getName();
if (name != null && name.indexOf(":") > 0 ) {
String[] nameKeys = name.split(":");
if (nameKeys.length > 1 &&
("sAMAccountName".equalsIgnoreCase(nameKeys[2])
|| "password".equalsIgnoreCase(nameKeys[2]))){
field.setRequired(true);
}
}
}
}
if (form.getSection("gmsa") != null) {
form.remove(form.getSection("gmsa"));
}
}
return false;
</Source>
</Script>
</value>
</entry>
</Map>
</Attributes>
</Field>
</Question>
<Question attributeName="sAMAccountName" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_sAMAccountName" helpKey="help_con_prov_policy_ad_sAMAccountName" name="Question:1:sAMAccountName" priority="10" reviewRequired="true" template="Account" type="string" value="Howard.Rose"/>
</Question>
<Question attributeName="password" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_password" helpKey="help_con_prov_policy_ad_password" name="Question:2:password" priority="10" reviewRequired="true" template="Account" type="secret"/>
</Question>
<Question attributeName="pwdLastSet" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_pwdLastSet" helpKey="help_con_prov_policy_ad_pwdLastSet" name="Question:3:pwdLastSet" priority="10" reviewRequired="true" template="Account" type="boolean"/>
</Question>
<Question attributeName="IIQDisabled" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_IIQDisabled" helpKey="help_con_prov_policy_ad_IIQDisabled" name="Question:4:IIQDisabled" priority="10" reviewRequired="true" template="Account" type="boolean">
<Value>
<Boolean></Boolean>
</Value>
</Field>
</Question>
<Question attributeName="primaryGroupDN" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_primaryGroupDN" helpKey="help_con_prov_policy_ad_primaryGroupDN" name="Question:5:primaryGroupDN" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="givenName" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_givenName" helpKey="help_con_prov_policy_ad_givenName" name="Question:6:givenName" priority="10" reviewRequired="true" template="Account" type="string" value="Howard"/>
</Question>
<Question attributeName="sn" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_sn" helpKey="help_con_prov_policy_ad_sn" name="Question:7:sn" priority="10" reviewRequired="true" template="Account" type="string" value="Rose"/>
</Question>
<Question attributeName="description" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_description" helpKey="help_con_prov_policy_ad_description" name="Question:8:description" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="msNPAllowDialin" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_msNPAllowDialin" helpKey="help_con_prov_policy_ad_msNPAllowDialin" name="Question:9:msNPAllowDialin" priority="10" reviewRequired="true" template="Account" type="string" value="Not Set">
<AllowedValuesDefinition>
<Value>
<List>
<String>Not Set</String>
<String>true</String>
<String>false</String>
</List>
</Value>
</AllowedValuesDefinition>
</Field>
</Question>
<Question attributeName="msNPCallingStationID" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_msNPCallingStationID" helpKey="help_con_prov_policy_ad_msNPCallingStationID" multi="true" name="Question:10:msNPCallingStationID" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="msRADIUSCallbackNumber" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_msRADIUSCallbackNumber" helpKey="help_con_prov_policy_ad_msRADIUSCallbackNumber" name="Question:11:msRADIUSCallbackNumber" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="msRADIUSFramedRoute" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_msRADIUSFramedRoute" helpKey="help_con_prov_policy_ad_msRADIUSFramedRoute" multi="true" name="Question:12:msRADIUSFramedRoute" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="msRADIUSFramedIPAddress" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_msRADIUSFramedIPAddress" helpKey="help_con_prov_policy_ad_msRADIUSFramedIPAddress" name="Question:13:msRADIUSFramedIPAddress" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="homeMDB" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_homeMDB" helpKey="help_con_prov_policy_ad_homeMDB" name="Question:14:homeMDB" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="mailNickname" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_mailNickname" helpKey="help_con_prov_policy_ad_mailNickname" name="Question:15:mailNickname" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="shadowAccountDN" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_shadowAccountDN" helpKey="help_con_prov_policy_ad_shadowAccountDN" name="Question:16:shadowAccountDN" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="msExchHideFromAddressLists" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_msExchHideFromAddressLists" helpKey="help_con_prov_policy_ad_msExchHideFromAddressLists" name="Question:17:msExchHideFromAddressLists" priority="10" reviewRequired="true" template="Account" type="boolean"/>
</Question>
<Question attributeName="externalEmailAddress" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_externalEmailAddress" helpKey="help_con_prov_policy_ad_externalEmailAddress" name="Question:18:externalEmailAddress" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="SipAddress" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_SipAddress" helpKey="help_con_prov_policy_ad_SipAddress" name="Question:19:SipAddress" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="SipDomain" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_SipDomain" helpKey="help_con_prov_policy_ad_SipDomain" name="Question:20:SipDomain" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="SipAddressType" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_SipAddressType" helpKey="help_con_prov_policy_ad_SipAddressType" name="Question:21:SipAddressType" priority="10" reviewRequired="true" template="Account" type="string">
<AllowedValuesDefinition>
<Value>
<List>
<String>SamAccountName</String>
<String>FirstLastName</String>
<String>EmailAddress</String>
</List>
</Value>
</AllowedValuesDefinition>
</Field>
</Question>
<Question attributeName="RegistrarPool" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_RegistrarPool" helpKey="help_con_prov_policy_ad_RegistrarPool" name="Question:22:RegistrarPool" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="dNSHostName" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_DNSHostName" helpKey="help_con_prov_policy_ad_DNSHostName" name="Question:23:dNSHostName" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="msDS-SupportedEncryptionTypes" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_msDSSupportedEncryptionTypes" helpKey="help_con_prov_policy_ad_msDSSupportedEncryptionTypes" multi="true" name="Question:24:msDS-SupportedEncryptionTypes" priority="10" reviewRequired="true" template="Account" type="string">
<AllowedValuesDefinition>
<Value>
<List>
<String>DES</String>
<String>RC4</String>
<String>AES128</String>
<String>AES256</String>
</List>
</Value>
</AllowedValuesDefinition>
</Field>
</Question>
<Question attributeName="msDS-ManagedPasswordInterval" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_msDSManagedPasswordInterval" helpKey="help_con_prov_policy_ad_msDSManagedPasswordInterval" name="Question:25:msDS-ManagedPasswordInterval" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="msDS-GroupMSAMembership" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_msDSGroupMSAMembership" helpKey="help_con_prov_policy_ad_msDSGroupMSAMembership" multi="true" name="Question:26:msDS-GroupMSAMembership" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="msDS-AllowedToActOnBehalfOfOtherIdentity" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_msDSAllowedToActOnBehalfOfOtherIdentity" helpKey="help_con_prov_policy_ad_msDSAllowedToActOnBehalfOfOtherIdentity" multi="true" name="Question:27:msDS-AllowedToActOnBehalfOfOtherIdentity" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
<Question attributeName="servicePrincipalName" shown="true" source="Active Directory" target="Howard.Rose" type="Application">
<Field application="Active Directory" displayName="con_prov_policy_ad_ServicePrincipalNames" helpKey="help_con_prov_policy_ad_ServicePrincipalNames" multi="true" name="Question:28:servicePrincipalName" priority="10" reviewRequired="true" template="Account" type="string"/>
</Question>
</QuestionHistory>
</ProvisioningProject>
</value>
</entry>
<entry key="taskResultId" value="0a00004693d516aa8193d583193c000a"/>
</Map>
</Attributes>
<RequestItems>
<IdentityRequestItem application="Active Directory" approvalState="Pending" created="1734453959278" id="0a00004693d516aa8193d5831a6e000c" modified="1734454030387" name="sAMAccountName" nativeIdentity="Howard.Rose" operation="Set" provisioningEngine="Active Directory" provisioningState="Failed" significantModified="1734454030387" value="Howard.Rose">
<Attributes>
<Map>
<entry key="errors">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="managedAttributeType" value="Entitlement"/>
<entry key="provisioningPlan">
<value>
<ProvisioningPlan trackingId="35aa55097a0d48fe837cc999eafa8667">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
<AttributeRequest name="sAMAccountName" op="Set" trackingId="35aa55097a0d48fe837cc999eafa8667" value="Howard.Rose"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</value>
</entry>
</Map>
</Attributes>
</IdentityRequestItem>
<IdentityRequestItem application="Active Directory" approvalState="Pending" created="1734453959285" id="0a00004693d516aa8193d5831a75000d" modified="1734454030388" name="userPrincipalName" nativeIdentity="Howard.Rose" operation="Set" provisioningEngine="Active Directory" provisioningState="Failed" significantModified="1734454030388" value="[email protected]">
<Attributes>
<Map>
<entry key="errors">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="managedAttributeType" value="Entitlement"/>
<entry key="provisioningPlan">
<value>
<ProvisioningPlan trackingId="011574f634454743bc5f3613b53eeb87">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
<AttributeRequest name="userPrincipalName" op="Set" trackingId="011574f634454743bc5f3613b53eeb87" value="[email protected]"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</value>
</entry>
</Map>
</Attributes>
</IdentityRequestItem>
<IdentityRequestItem application="Active Directory" approvalState="Pending" created="1734453959293" id="0a00004693d516aa8193d5831a7c000e" modified="1734454030388" name="givenName" nativeIdentity="Howard.Rose" operation="Set" provisioningEngine="Active Directory" provisioningState="Failed" significantModified="1734454030388" value="Howard">
<Attributes>
<Map>
<entry key="errors">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="managedAttributeType" value="Entitlement"/>
<entry key="provisioningPlan">
<value>
<ProvisioningPlan trackingId="7519824de16145a290d5e67ac2a26d49">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
<AttributeRequest name="givenName" op="Set" trackingId="7519824de16145a290d5e67ac2a26d49" value="Howard"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</value>
</entry>
</Map>
</Attributes>
</IdentityRequestItem>
<IdentityRequestItem application="Active Directory" approvalState="Pending" created="1734453959299" id="0a00004693d516aa8193d5831a83000f" modified="1734454030388" name="sn" nativeIdentity="Howard.Rose" operation="Set" provisioningEngine="Active Directory" provisioningState="Failed" significantModified="1734454030388" value="Rose">
<Attributes>
<Map>
<entry key="errors">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="managedAttributeType" value="Entitlement"/>
<entry key="provisioningPlan">
<value>
<ProvisioningPlan trackingId="9135df3271da46478144512d67ad3267">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
<AttributeRequest name="sn" op="Set" trackingId="9135df3271da46478144512d67ad3267" value="Rose"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</value>
</entry>
</Map>
</Attributes>
</IdentityRequestItem>
<IdentityRequestItem application="Active Directory" approvalState="Pending" created="1734453959304" id="0a00004693d516aa8193d5831a870010" modified="1734454030389" name="displayName" nativeIdentity="Howard.Rose" operation="Set" provisioningEngine="Active Directory" provisioningState="Failed" significantModified="1734454030389" value="Howard.Rose">
<Attributes>
<Map>
<entry key="errors">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="managedAttributeType" value="Entitlement"/>
<entry key="provisioningPlan">
<value>
<ProvisioningPlan trackingId="5f4c5e475971483fa4331002a284748c">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
<AttributeRequest name="displayName" op="Set" trackingId="5f4c5e475971483fa4331002a284748c" value="Howard.Rose"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</value>
</entry>
</Map>
</Attributes>
</IdentityRequestItem>
<IdentityRequestItem application="Active Directory" approvalState="Pending" created="1734453959312" id="0a00004693d516aa8193d5831a8b0011" modified="1734454030389" name="mail" nativeIdentity="Howard.Rose" operation="Set" provisioningEngine="Active Directory" provisioningState="Failed" significantModified="1734454030389" value="[email protected]">
<Attributes>
<Map>
<entry key="errors">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="managedAttributeType" value="Entitlement"/>
<entry key="provisioningPlan">
<value>
<ProvisioningPlan trackingId="09e0e38e84244d42b760bbb28678dc94">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
<AttributeRequest name="mail" op="Set" trackingId="09e0e38e84244d42b760bbb28678dc94" value="[email protected]"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</value>
</entry>
</Map>
</Attributes>
</IdentityRequestItem>
<IdentityRequestItem application="Active Directory" approvalState="Pending" created="1734453959317" id="0a00004693d516aa8193d5831a950012" modified="1734454030390" name="distinguishedName" nativeIdentity="Howard.Rose" operation="Set" provisioningEngine="Active Directory" provisioningState="Failed" significantModified="1734454030390" value="CN=Howard Rose,OU=Users,DC=RGLab,DC=local">
<Attributes>
<Map>
<entry key="errors">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="managedAttributeType" value="Entitlement"/>
<entry key="provisioningPlan">
<value>
<ProvisioningPlan trackingId="7f37d9852ed747a995f2ba02f9ad1060">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
<AttributeRequest name="distinguishedName" op="Set" trackingId="7f37d9852ed747a995f2ba02f9ad1060" value="CN=Howard Rose,OU=Users,DC=RGLab,DC=local"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</value>
</entry>
</Map>
</Attributes>
</IdentityRequestItem>
<IdentityRequestItem application="Active Directory" created="1734453959321" id="0a00004693d516aa8193d5831a980013" modified="1734454030390" nativeIdentity="Howard.Rose" operation="Create" provisioningEngine="Active Directory" provisioningState="Failed" significantModified="1734454030390">
<Attributes>
<Map>
<entry key="errors">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="provisioningPlan">
<value>
<ProvisioningPlan trackingId="2f8ff80237714469879b63adf2e66cc0">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</value>
</entry>
</Map>
</Attributes>
</IdentityRequestItem>
<IdentityRequestItem application="Active Directory" approvalState="Finished" compilationStatus="Expansion" created="1734454029146" expansionCause="ProvisioningPolicy" id="0a00004693d5190f8193d5842b5a0233" modified="1734454030390" name="objectType" nativeIdentity="Howard.Rose" operation="Set" provisioningEngine="Active Directory" provisioningState="Failed" significantModified="1734454030390" value="User">
<Attributes>
<Map>
<entry key="errors">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="expansionInfo" value="Active Directory"/>
<entry key="managedAttributeType" value="Entitlement"/>
<entry key="provisioningPlan">
<value>
<ProvisioningPlan trackingId="af8c09a363c24e5384ea66b131aa9432">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
<AttributeRequest name="objectType" op="Set" trackingId="af8c09a363c24e5384ea66b131aa9432" value="User"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</value>
</entry>
</Map>
</Attributes>
</IdentityRequestItem>
<IdentityRequestItem application="Active Directory" approvalState="Finished" compilationStatus="Expansion" created="1734454029154" id="0a00004693d5190f8193d5842b620234" modified="1734454030390" name="IIQDisabled" nativeIdentity="Howard.Rose" operation="Set" provisioningEngine="Active Directory" provisioningState="Failed" significantModified="1734454030390" value="false">
<Attributes>
<Map>
<entry key="errors">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="managedAttributeType" value="Entitlement"/>
<entry key="provisioningPlan">
<value>
<ProvisioningPlan trackingId="fe4cf8104b62422086346e8fc8f1941a">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
<AttributeRequest name="IIQDisabled" op="Set" trackingId="fe4cf8104b62422086346e8fc8f1941a" value="false"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</value>
</entry>
</Map>
</Attributes>
</IdentityRequestItem>
<IdentityRequestItem application="Active Directory" approvalState="Finished" compilationStatus="Expansion" created="1734454029163" expansionCause="ProvisioningPolicy" id="0a00004693d5190f8193d5842b6a0235" modified="1734454030390" name="msNPAllowDialin" nativeIdentity="Howard.Rose" operation="Set" provisioningEngine="Active Directory" provisioningState="Failed" significantModified="1734454030390" value="Not Set">
<Attributes>
<Map>
<entry key="errors">
<value>
<List>
<Message key="Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.RoseAttribute DistinguishedNamedoes not contain expected character ,. Value supplied : Howard.Rose. HRESULT:[0x80131500]"" type="Error"/>
</List>
</value>
</entry>
<entry key="expansionInfo" value="Active Directory"/>
<entry key="managedAttributeType" value="Entitlement"/>
<entry key="provisioningPlan">
<value>
<ProvisioningPlan trackingId="304561fc52134217b12b2c8cabcc0f5d">
<AccountRequest application="Active Directory" nativeIdentity="Howard.Rose" op="Create">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="0a00004693d5190f8193d5842ed70238"/>
</Map>
</Attributes>
<AttributeRequest name="msNPAllowDialin" op="Set" trackingId="304561fc52134217b12b2c8cabcc0f5d" value="Not Set"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</value>
</entry>
</Map>
</Attributes>
</IdentityRequestItem>
</RequestItems>
</IdentityRequest>
AD App Definition:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Application PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Application connector="sailpoint.connector.ADLDAPConnector" created="1713113131040" featuresString="PROVISIONING, SYNC_PROVISIONING, AUTHENTICATE, MANAGER_LOOKUP, SEARCH, UNSTRUCTURED_TARGETS, UNLOCK, ENABLE, PASSWORD, CURRENT_PASSWORD, ACCOUNT_ONLY_REQUEST, ADDITIONAL_ACCOUNT_REQUEST" icon="directory1Icon" id="c0a801c78edd17ba818edd7fe8160202" modified="1734451559692" name="Active Directory" profileClass="" significantModified="1734451559692" type="Active Directory - Direct">
<Attributes>
<Map>
<entry key="ADAppVersion" value="V2"/>
<entry key="IQServiceConfiguration">
<value>
<List>
<Map>
<entry key="IQServiceHost" value="10.0.0.69"/>
<entry key="IQServicePassword"/>
<entry key="IQServicePort" value="5050"/>
<entry key="IQServiceUser"/>
<entry key="useTLSForIQService">
<value>
<Boolean></Boolean>
</value>
</entry>
</Map>
</List>
</value>
</entry>
<entry key="acctAggregationEnd">
<value>
<Date>1713411451729</Date>
</value>
</entry>
<entry key="acctAggregationStart">
<value>
<Date>1713411451189</Date>
</value>
</entry>
<entry key="afterProvisioningRule"/>
<entry key="aggregationPartitioned">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="aggregationType" value="account"/>
<entry key="allowAutoPartitioning">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="appId">
<value>
<Integer>0</Integer>
</value>
</entry>
<entry key="authSearchAttributes">
<value>
<List>
<String>sAMAccountName</String>
<String>msDS-PrincipalName</String>
<String>mail</String>
</List>
</value>
</entry>
<entry key="autoPartitionCount" value="256"/>
<entry key="beforeProvisioningRule"/>
<entry key="cacheRemoteObjectPort" value="40002"/>
<entry key="cacheRmiPort" value="40001"/>
<entry key="compositeDefinition"/>
<entry key="deletedObjectsContainer" value="CN=Deleted Objects,DOMAIN"/>
<entry key="deltaAggregation">
<value>
<Map>
<entry key="dc=rglab,dc=local">
<value>
<Map>
<entry key="groups_cookie" value="TVNEUwMAAAAIjjs0QZHaAQAAAAAAAAAAKAAAACZgAAAAAAAAAAAAAAAAAAAmYAAAAAAAAMreXdtb
aVRInLQRLZTVuMUBAAAAAAAAAAEAAAAAAAAAyt5d21tpVEictBEtlNW4xRWAAAAAAAAA"/>
<entry key="lastDirsyncServer" value="rglab.local"/>
<entry key="users_cookie" value="TVNEUwMAAAA6PCarQZHaAQAAAAAAAAAAKAAAAAQxAAAAAAAAAAAAAAAAAAAEMQAAAAAAAMreXdtb
aVRInLQRLZTVuMUBAAAAAAAAAAEAAAAAAAAAyt5d21tpVEictBEtlNW4xRWAAAAAAAAA"/>
</Map>
</value>
</entry>
</Map>
</value>
</entry>
<entry key="deltaIterationMode" value="dirSync"/>
<entry key="disableComputePreloading">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="disableFspAggregation">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="displayAttributeForContacts" value="cn"/>
<entry key="domainSettings">
<value>
<List>
<Map>
<entry key="authenticationType" value="simple"/>
<entry key="authorizationType" value="simple"/>
<entry key="domainDN" value="DC=RGlab,DC=local"/>
<entry key="domainIterateSearchFilter"/>
<entry key="domainNetBiosName"/>
<entry key="forestName" value="10.0.0.69"/>
<entry key="password" value="1:ACP:fMMtpNtrHNo39BkAlZIbYdj0dmeU2J6DVJPIoKRybiY="/>
<entry key="port" value="389"/>
<entry key="servers"/>
<entry key="useSSL">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="user" value="RGLab\Administrator"/>
</Map>
</List>
</value>
</entry>
<entry key="enableCache">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="encrypted" value="domainSettings.password,forestSettings.password,exchangeSettings.password,IQServiceConfiguration.IQServicePassword"/>
<entry key="forestSettings">
<value>
<List>
<Map>
<entry key="authenticationType" value="simple"/>
<entry key="authorizationType" value="simple"/>
<entry key="forestName" value="10.0.0.69"/>
<entry key="gcServer" value="10.0.0.69:3268"/>
<entry key="isResourceForest">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="manageAllDomains">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="password" value="1:ACP:d3YdvMZEg0qTYwMXZFZyIrau+WS+eH8ebn3kEJP+tpI="/>
<entry key="useGroupMembershipPreloading"/>
<entry key="useSSL">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="user" value="RGLab\Administrator"/>
</Map>
</List>
</value>
</entry>
<entry key="groupProvisioning">
<value>
<Boolean>true</Boolean>
</value>
</entry>
<entry key="ldapExtendedControls">
<value>
<List>
<String>1.2.840.113556.1.4.1339</String>
</List>
</value>
</entry>
<entry key="lyncAttributes" value="RegistrarPool,SipAddressType,SipAddress,SipDomain,msRTCSIP-UserEnabled"/>
<entry key="manageLync">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="manageRecycleBin">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="nativeChangeDetectionAttributeScope" value="entitlements"/>
<entry key="nativeChangeDetectionAttributes"/>
<entry key="nativeChangeDetectionEnabled">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="nativeChangeDetectionOperations"/>
<entry key="noGroupPermissions">
<value>
<Map>
<entry key="group">
<value>
<Boolean></Boolean>
</value>
</entry>
</Map>
</value>
</entry>
<entry key="noPermissions" value="false"/>
<entry key="operations" value="Create, Modify, Delete, Enable, Disable, Unlock, SetPassword"/>
<entry key="pageSize" value="100"/>
<entry key="schemaProvisioningMap">
<value>
<Map>
<entry key="group">
<value>
<Boolean>true</Boolean>
</value>
</entry>
</Map>
</value>
</entry>
<entry key="searchDNs">
<value>
<List>
<Map>
<entry key="groupMemberFilterString"/>
<entry key="groupMembershipSearchDN"/>
<entry key="iterateSearchFilter"/>
<entry key="primaryGroupSearchDN"/>
<entry key="searchDN" value="DC=RGlab, DC=local"/>
<entry key="searchScope" value="SUBTREE"/>
</Map>
</List>
</value>
</entry>
<entry key="soxApplication">
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key="sysDescriptions">
<value>
<Map>
<entry key="en_US"/>
</Map>
</value>
</entry>
<entry key="templateApplication" value="Active Directory Template"/>
<entry key="useSSL" value="false"/>
</Map>
</Attributes>
<Owner>
<Reference class="sailpoint.object.Identity" id="c0a801be8e161c14818e162d805000ff" name="spadmin"/>
</Owner>
<ProvisioningForms>
<Form name="Account" objectType="account" type="Create">
<Attributes>
<Map>
<entry key="pageTitle" value="Account"/>
</Map>
</Attributes>
<Section label="Account" name="Account">
<Field displayName="con_prov_policy_ad_objecttype" name="objectType" postBack="true" reviewRequired="true" section="Account" type="string" value="User">
<AllowedValuesDefinition>
<Value>
<List>
<String>User</String>
<String>Contact</String>
<String>msDS-GroupManagedServiceAccount</String>
<String>msDS-ManagedServiceAccount</String>
</List>
</Value>
</AllowedValuesDefinition>
<Attributes>
<Map>
<entry key="hidden">
<value>
<Script>
<Source>
Object objType = field.getValue();
if ("contact".equalsIgnoreCase(objType)) {
if (form.getSection("Dial-in") != null) {
form.remove(form.getSection("Dial-in"));
}
if (form.getSection("User Details") != null) {
form.remove(form.getSection("User Details"));
}
if (form.getSection("Skype for Business") != null) {
form.remove(form.getSection("Skype for Business"));
}
if (form.getSection("gmsa") != null) {
form.remove(form.getSection("gmsa"));
}
if (form.getSection("Exchange") != null && form.getSection("Exchange").getFields() != null ) {
for (Object field : form.getSection("Exchange").getFields()) {
String name = field.getName();
if (name != null && name.indexOf(":") > 0 ) {
String[] nameKeys = name.split(":");
if (nameKeys.length > 1 &&
"homeMDB".equalsIgnoreCase(nameKeys[2])){
field.setHidden(true);
}
}
}
}
}
else if ("msDS-GroupManagedServiceAccount".equalsIgnoreCase(objType)
|| "msDS-ManagedServiceAccount".equalsIgnoreCase(objType)) {
if (form.getSection("Dial-in") != null) {
form.remove(form.getSection("Dial-in"));
}
if (form.getSection("Skype for Business") != null) {
form.remove(form.getSection("Skype for Business"));
}
if (form.getSection("Exchange") != null) {
form.remove(form.getSection("Exchange"));
}
if (form.getSection("gmsa") != null) {
form.getSection("gmsa").setLabel("Service Account");
}
if (form.getSection("User Details") != null && form.getSection("User Details").getFields() != null ) {
for (Object field : form.getSection("User Details").getFields()) {
String name = field.getName();
if (name != null && name.indexOf(":") > 0 ) {
String[] nameKeys = name.split(":");
if (nameKeys.length > 1) {
if("password".equalsIgnoreCase(nameKeys[2])
|| "pwdLastSet".equalsIgnoreCase(nameKeys[2])
|| "primaryGroupDN".equalsIgnoreCase(nameKeys[2]) )
{
field.setHidden(true);
}
}
}
}
}
Object serviceAccSection = form.getSection("gmsa");
String dnsHostNameFieldName = null;
String pAllowedToRetrievPwdFieldName = null;
String pAllowedToDelegate = null;
String managePasswordInterval = null;
for (Object field : serviceAccSection.getFields()) {
String name = field.getName();
if( null != name) {
if( name.contains(":dNSHostName"))
dnsHostNameFieldName = name;
else if( name.contains(":msDS-GroupMSAMembership") )
pAllowedToRetrievPwdFieldName = name;
else if( name.contains(":msDS-AllowedToActOnBehalfOfOtherIdentity") )
pAllowedToDelegate = name;
else if( name.contains(":msDS-ManagedPasswordInterval") )
managePasswordInterval = name;
}
}
if ("msDS-GroupManagedServiceAccount".equalsIgnoreCase(objType))
{
if (null != dnsHostNameFieldName) {
Object dnsHostName = serviceAccSection.getField(dnsHostNameFieldName);
dnsHostName.setRequired(true);
}
}
else if ("msDS-ManagedServiceAccount".equalsIgnoreCase(objType))
{
if (null != dnsHostNameFieldName) {
Object dnsHostName = serviceAccSection.getField(dnsHostNameFieldName);
dnsHostName.setHidden(true);
}
if(null != pAllowedToRetrievPwdFieldName){
Object msDSGroupMSAMembership = serviceAccSection.getField(pAllowedToRetrievPwdFieldName);
msDSGroupMSAMembership.setHidden(true);
}
if(null != pAllowedToDelegate){
Object PrincipalsAllowedToDelegate = serviceAccSection.getField(pAllowedToDelegate);
PrincipalsAllowedToDelegate.setHidden(true);
}
if(null != managePasswordInterval) {
Object ManageIntervalField = serviceAccSection.getField(managePasswordInterval);
ManageIntervalField.setHidden(true);
}
}
}
else {
if (form.getSection("User Details") != null && form.getSection("User Details").getFields() != null ) {
for (Object field : form.getSection("User Details").getFields()) {
String name = field.getName();
if (name != null && name.indexOf(":") > 0 ) {
String[] nameKeys = name.split(":");
if (nameKeys.length > 1 &&
("sAMAccountName".equalsIgnoreCase(nameKeys[2])
|| "password".equalsIgnoreCase(nameKeys[2]))){
field.setRequired(true);
}
}
}
}
if (form.getSection("gmsa") != null) {
form.remove(form.getSection("gmsa"));
}
}
return false;
</Source>
</Script>
</value>
</entry>
</Map>
</Attributes>
</Field>
<Field displayName="con_prov_policy_ad_distinguishedName" helpKey="help_con_prov_policy_ad_distinguishedName" name="distinguishedName" required="true" section="Account" type="string"/>
</Section>
<Section label="User Details" name="User Details">
<Field displayName="con_prov_policy_ad_sAMAccountName" helpKey="help_con_prov_policy_ad_sAMAccountName" name="sAMAccountName" reviewRequired="true" section="User Details" type="string"/>
<Field displayName="con_prov_policy_ad_password" helpKey="help_con_prov_policy_ad_password" name="password" reviewRequired="true" section="User Details" type="secret"/>
<Field displayName="con_prov_policy_ad_pwdLastSet" helpKey="help_con_prov_policy_ad_pwdLastSet" name="pwdLastSet" reviewRequired="true" section="User Details" type="boolean"/>
<Field displayName="con_prov_policy_ad_IIQDisabled" helpKey="help_con_prov_policy_ad_IIQDisabled" name="IIQDisabled" reviewRequired="true" section="User Details" type="boolean" value="false"/>
<Field displayName="con_prov_policy_ad_primaryGroupDN" helpKey="help_con_prov_policy_ad_primaryGroupDN" name="primaryGroupDN" reviewRequired="true" section="User Details" type="string"/>
</Section>
<Section label="General" name="General">
<Field displayName="con_prov_policy_ad_givenName" helpKey="help_con_prov_policy_ad_givenName" name="givenName" reviewRequired="true" section="General" type="string"/>
<Field displayName="con_prov_policy_ad_sn" helpKey="help_con_prov_policy_ad_sn" name="sn" reviewRequired="true" section="General" type="string"/>
<Field displayName="con_prov_policy_ad_description" helpKey="help_con_prov_policy_ad_description" name="description" reviewRequired="true" section="General" type="string"/>
</Section>
<Section label="Dial-in" name="Dial-in">
<Field displayName="con_prov_policy_ad_msNPAllowDialin" helpKey="help_con_prov_policy_ad_msNPAllowDialin" name="msNPAllowDialin" reviewRequired="true" section="Dial-in" type="string" value="Not Set">
<AllowedValuesDefinition>
<Value>
<List>
<String>Not Set</String>
<String>true</String>
<String>false</String>
</List>
</Value>
</AllowedValuesDefinition>
</Field>
<Field displayName="con_prov_policy_ad_msNPCallingStationID" helpKey="help_con_prov_policy_ad_msNPCallingStationID" multi="true" name="msNPCallingStationID" reviewRequired="true" section="Dial-in" type="string"/>
<Field displayName="con_prov_policy_ad_msRADIUSCallbackNumber" helpKey="help_con_prov_policy_ad_msRADIUSCallbackNumber" name="msRADIUSCallbackNumber" reviewRequired="true" section="Dial-in" type="string"/>
<Field displayName="con_prov_policy_ad_msRADIUSFramedRoute" helpKey="help_con_prov_policy_ad_msRADIUSFramedRoute" multi="true" name="msRADIUSFramedRoute" reviewRequired="true" section="Dial-in" type="string"/>
<Field displayName="con_prov_policy_ad_msRADIUSFramedIPAddress" helpKey="help_con_prov_policy_ad_msRADIUSFramedIPAddress" name="msRADIUSFramedIPAddress" reviewRequired="true" section="Dial-in" type="string"/>
</Section>
<Section label="Exchange" name="Exchange">
<Field displayName="con_prov_policy_ad_homeMDB" helpKey="help_con_prov_policy_ad_homeMDB" name="homeMDB" reviewRequired="true" section="Exchange" type="string"/>
<Field displayName="con_prov_policy_ad_mailNickname" helpKey="help_con_prov_policy_ad_mailNickname" name="mailNickname" reviewRequired="true" section="Exchange" type="string"/>
<Field displayName="con_prov_policy_ad_shadowAccountDN" helpKey="help_con_prov_policy_ad_shadowAccountDN" name="shadowAccountDN" reviewRequired="true" section="Exchange" type="string"/>
<Field displayName="con_prov_policy_ad_msExchHideFromAddressLists" helpKey="help_con_prov_policy_ad_msExchHideFromAddressLists" name="msExchHideFromAddressLists" reviewRequired="true" section="Exchange" type="boolean"/>
<Field displayName="con_prov_policy_ad_externalEmailAddress" helpKey="help_con_prov_policy_ad_externalEmailAddress" name="externalEmailAddress" reviewRequired="true" section="Exchange" type="string"/>
</Section>
<Section label="Skype for Business" name="Skype for Business">
<Field displayName="con_prov_policy_ad_SipAddress" helpKey="help_con_prov_policy_ad_SipAddress" name="SipAddress" reviewRequired="true" section="Skype for Business" type="string"/>
<Field displayName="con_prov_policy_ad_SipDomain" helpKey="help_con_prov_policy_ad_SipDomain" name="SipDomain" reviewRequired="true" section="Skype for Business" type="string"/>
<Field displayName="con_prov_policy_ad_SipAddressType" helpKey="help_con_prov_policy_ad_SipAddressType" name="SipAddressType" reviewRequired="true" section="Skype for Business" type="string">
<AllowedValuesDefinition>
<Value>
<List>
<String>SamAccountName</String>
<String>FirstLastName</String>
<String>EmailAddress</String>
</List>
</Value>
</AllowedValuesDefinition>
</Field>
<Field displayName="con_prov_policy_ad_RegistrarPool" helpKey="help_con_prov_policy_ad_RegistrarPool" name="RegistrarPool" reviewRequired="true" section="Skype for Business" type="string"/>
</Section>
<Section label="gmsa" name="gmsa">
<Field displayName="con_prov_policy_ad_DNSHostName" helpKey="help_con_prov_policy_ad_DNSHostName" name="dNSHostName" reviewRequired="true" section="gmsa" type="string"/>
<Field displayName="con_prov_policy_ad_msDSSupportedEncryptionTypes" helpKey="help_con_prov_policy_ad_msDSSupportedEncryptionTypes" multi="true" name="msDS-SupportedEncryptionTypes" reviewRequired="true" section="gmsa" type="string">
<AllowedValuesDefinition>
<Value>
<List>
<String>DES</String>
<String>RC4</String>
<String>AES128</String>
<String>AES256</String>
</List>
</Value>
</AllowedValuesDefinition>
</Field>
<Field displayName="con_prov_policy_ad_msDSManagedPasswordInterval" helpKey="help_con_prov_policy_ad_msDSManagedPasswordInterval" name="msDS-ManagedPasswordInterval" reviewRequired="true" section="gmsa" type="string"/>
<Field displayName="con_prov_policy_ad_msDSGroupMSAMembership" helpKey="help_con_prov_policy_ad_msDSGroupMSAMembership" multi="true" name="msDS-GroupMSAMembership" reviewRequired="true" section="gmsa" type="string"/>
<Field displayName="con_prov_policy_ad_msDSAllowedToActOnBehalfOfOtherIdentity" helpKey="help_con_prov_policy_ad_msDSAllowedToActOnBehalfOfOtherIdentity" multi="true" name="msDS-AllowedToActOnBehalfOfOtherIdentity" reviewRequired="true" section="gmsa" type="string"/>
<Field displayName="con_prov_policy_ad_ServicePrincipalNames" helpKey="help_con_prov_policy_ad_ServicePrincipalNames" multi="true" name="servicePrincipalName" reviewRequired="true" section="gmsa" type="string"/>
</Section>
</Form>
<Form name="Create Group" objectType="group" type="Create">
<Attributes>
<Map>
<entry key="pageTitle" value="Create Group"/>
</Map>
</Attributes>
<Section>
<Field displayName="con_prov_policy_ad_distinguishedName_group" helpKey="help_con_prov_policy_ad_group_distinguishedName" name="distinguishedName" required="true" type="string"/>
<Field displayName="con_prov_policy_ad_sAMAccountName" helpKey="help_con_prov_policy_ad_group_sAMAccountName" name="sAMAccountName" required="true" type="string"/>
</Section>
</Form>
<Form name="Update Group" objectType="group" type="Update">
<Attributes>
<Map>
<entry key="pageTitle" value="Update Group"/>
</Map>
</Attributes>
<Section>
<Field displayName="con_prov_policy_ad_GroupType" helpKey="help_con_prov_policy_ad_GroupType" name="GroupType" reviewRequired="true" type="string" value="Security">
<AllowedValuesDefinition>
<Value>
<List>
<String>Security</String>
<String>Distribution</String>
</List>
</Value>
</AllowedValuesDefinition>
</Field>
<Field displayName="con_prov_policy_ad_GroupScope" helpKey="help_con_prov_policy_ad_GroupScope" name="GroupScope" reviewRequired="true" type="string" value="Global">
<AllowedValuesDefinition>
<Value>
<List>
<String>Domain local</String>
<String>Global</String>
<String>Universal</String>
</List>
</Value>
</AllowedValuesDefinition>
</Field>
<Field displayName="con_prov_policy_ad_description" helpKey="help_con_prov_policy_ad_group_description" name="description" reviewRequired="true" type="string"/>
<Field displayName="con_prov_policy_ad_mailNickname" helpKey="help_con_prov_policy_ad_group_mailNickname" name="mailNickname" reviewRequired="true" type="string"/>
</Section>
</Form>
</ProvisioningForms>
<Schemas>
<Schema created="1713113131054" displayAttribute="msDS-PrincipalName" id="c0a801c78edd17ba818edd7fe82b0204" identityAttribute="distinguishedName" instanceAttribute="" modified="1734451559698" nativeObjectType="User" objectType="account" significantModified="1734451559698">
<AttributeDefinition name="businessCategory" type="string">
<Description>business category</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="carLicense" type="string">
<Description>vehicle license or registration plate</Description>
</AttributeDefinition>
<AttributeDefinition name="cn" type="string">
<Description>common name(s) for which the entity is known by</Description>
</AttributeDefinition>
<AttributeDefinition name="departmentNumber" type="string">
<Description>identifies a department within an organization</Description>
</AttributeDefinition>
<AttributeDefinition name="description" type="string">
<Description>descriptive information</Description>
</AttributeDefinition>
<AttributeDefinition name="destinationIndicator" type="string">
<Description>destination indicator</Description>
</AttributeDefinition>
<AttributeDefinition name="displayName" type="string">
<Description>preferred name to be used when displaying entries</Description>
</AttributeDefinition>
<AttributeDefinition name="distinguishedName" type="string">
<Description>distinguished name for which the entity is known by</Description>
</AttributeDefinition>
<AttributeDefinition name="employeeNumber" type="string">
<Description>numerically identifies an employee within an organization</Description>
</AttributeDefinition>
<AttributeDefinition name="employeeType" type="string">
<Description>type of employment for a person</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="facsimileTelephoneNumber" type="string">
<Description>Facsimile (Fax) Telephone Number</Description>
</AttributeDefinition>
<AttributeDefinition name="givenName" type="string">
<Description>first name(s) for which the entity is known by</Description>
</AttributeDefinition>
<AttributeDefinition name="homePhone" type="string">
<Description>home telephone number</Description>
</AttributeDefinition>
<AttributeDefinition name="homePostalAddress" type="string">
<Description>home postal address</Description>
</AttributeDefinition>
<AttributeDefinition name="initials" type="string">
<Description>initials of some or all of names, but not the surname(s).</Description>
</AttributeDefinition>
<AttributeDefinition name="internationalISDNNumber" type="string">
<Description>international ISDN number</Description>
</AttributeDefinition>
<AttributeDefinition name="l" type="string">
<Description>city</Description>
</AttributeDefinition>
<AttributeDefinition name="mail" type="string">
<Description>RFC822 Mailbox</Description>
</AttributeDefinition>
<AttributeDefinition name="manager" type="string">
<Description>DN of manager</Description>
</AttributeDefinition>
<AttributeDefinition name="mobile" type="string">
<Description>mobile telephone number</Description>
</AttributeDefinition>
<AttributeDefinition name="o" type="string">
<Description>organization this object belongs to</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="ou" type="string">
<Description>organizational unit this object belongs to</Description>
</AttributeDefinition>
<AttributeDefinition name="pager" type="string">
<Description>pager telephone number</Description>
</AttributeDefinition>
<AttributeDefinition name="physicalDeliveryOfficeName" type="string">
<Description>Physical Delivery Office Name</Description>
</AttributeDefinition>
<AttributeDefinition name="postOfficeBox" type="string">
<Description>Post Office Box</Description>
</AttributeDefinition>
<AttributeDefinition name="postalAddress" type="string">
<Description>postal address</Description>
</AttributeDefinition>
<AttributeDefinition name="postalCode" type="string">
<Description>postal code</Description>
</AttributeDefinition>
<AttributeDefinition name="preferredDeliveryMethod" type="string">
<Description>preferred delivery method</Description>
</AttributeDefinition>
<AttributeDefinition name="preferredLanguage" type="string">
<Description>preferred written or spoken language for a person</Description>
</AttributeDefinition>
<AttributeDefinition name="registeredAddress" type="string">
<Description>registered postal address</Description>
</AttributeDefinition>
<AttributeDefinition name="roomNumber" type="string">
<Description>room number</Description>
</AttributeDefinition>
<AttributeDefinition name="secretary" type="string">
<Description>DN of secretary</Description>
</AttributeDefinition>
<AttributeDefinition name="seeAlso" type="string">
<Description>DN of related object</Description>
</AttributeDefinition>
<AttributeDefinition name="sn" type="string">
<Description>last (family) name(s) for which the entity is known by</Description>
</AttributeDefinition>
<AttributeDefinition name="st" type="string">
<Description>state or province which this object resides in</Description>
</AttributeDefinition>
<AttributeDefinition name="street" type="string">
<Description>street of this object</Description>
</AttributeDefinition>
<AttributeDefinition name="streetAddress" type="string">
<Description>street address of this object</Description>
</AttributeDefinition>
<AttributeDefinition name="telephoneNumber" type="string">
<Description>Telephone Number</Description>
</AttributeDefinition>
<AttributeDefinition name="teletexTerminalIdentifier" type="string">
<Description>Teletex Terminal Identifier</Description>
</AttributeDefinition>
<AttributeDefinition name="telexNumber" type="string">
<Description>Telex Number</Description>
</AttributeDefinition>
<AttributeDefinition name="title" type="string">
<Description>title associated with the entity</Description>
</AttributeDefinition>
<AttributeDefinition name="uid" type="string">
<Description>user identifier</Description>
</AttributeDefinition>
<AttributeDefinition name="userPrincipalName" type="string">
<Description>user principal name</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="objectClass" type="string">
<Description>object classes of the entity</Description>
</AttributeDefinition>
<AttributeDefinition entitlement="true" managed="true" multi="true" name="memberOf" schemaObjectType="group" type="string">
<Description>Group Membership</Description>
</AttributeDefinition>
<AttributeDefinition name="objectSid" type="string">
<Description>Windows Security Identifier</Description>
</AttributeDefinition>
<AttributeDefinition name="objectguid" type="string">
<Description>Object globally unique identifier </Description>
</AttributeDefinition>
<AttributeDefinition name="objectType" type="string">
<Description>Type of Active Directory object</Description>
</AttributeDefinition>
<AttributeDefinition name="sAMAccountName" type="string">
<Description>sAMAccountName</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="accountFlags" type="string">
<Description>List of the flags enabled on an account</Description>
</AttributeDefinition>
<AttributeDefinition name="department" type="string">
<Description>User's department</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="msNPCallingStationID" type="string">
<Description>CallingStationID</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="msRADIUSFramedRoute" type="string">
<Description>Static Routes for Dial-In connection</Description>
</AttributeDefinition>
<AttributeDefinition name="msNPAllowDialin" type="string">
<Description>Is dial-in allowed</Description>
</AttributeDefinition>
<AttributeDefinition name="msRADIUSCallbackNumber" type="string">
<Description>Callback Number</Description>
</AttributeDefinition>
<AttributeDefinition name="msRADIUSFramedIPAddress" type="string">
<Description>Define Static IP Address</Description>
</AttributeDefinition>
<AttributeDefinition internalName="targetAddress" name="externalEmailAddress" type="string">
<Description>External email address of Mail User</Description>
</AttributeDefinition>
<AttributeDefinition name="mailNickname" type="string">
<Description>Exchange Alias</Description>
</AttributeDefinition>
<AttributeDefinition name="homeMDB" type="string">
<Description>Exchange Database</Description>
</AttributeDefinition>
<AttributeDefinition name="msExchHideFromAddressLists" type="string">
<Description>Hide from Exchange address lists</Description>
</AttributeDefinition>
<AttributeDefinition name="msRTCSIP-UserEnabled" type="boolean">
<Description>User enabled for Skype for Business Server</Description>
</AttributeDefinition>
<AttributeDefinition name="SipAddress" type="string">
<Description>Skype for Business sipAddress</Description>
</AttributeDefinition>
<AttributeDefinition name="RegistrarPool" type="string">
<Description>Skype for Business Registrar pool</Description>
</AttributeDefinition>
<AttributeDefinition name="LyncPinSet" type="string">
<Description>Skype for Business user pin set status</Description>
</AttributeDefinition>
<AttributeDefinition name="LyncPinLockedOut" type="string">
<Description>Skype for Business user pin lock status</Description>
</AttributeDefinition>
<AttributeDefinition name="DialPlan" type="string">
<Description>Skype for Business user dial plan name</Description>
</AttributeDefinition>
<AttributeDefinition name="dNSHostName" type="string">
<Description>Fully Qualified Domain Name for the Service Account</Description>
</AttributeDefinition>
<AttributeDefinition name="msDS-ManagedPasswordInterval" type="string">
<Description>Password change interval in days for the Managed Service Account</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="msDS-SupportedEncryptionTypes" type="string">
<Description>Supported Encryption Types for the Managed Service Account</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="msDS-GroupMSAMembership" type="string">
<Description>Principals allowed to use Group Managed Service Account</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="msDS-AllowedToActOnBehalfOfOtherIdentity" type="string">
<Description>Principals that can act on the behalf of Group Managed Service Account</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="servicePrincipalName" type="string">
<Description>Service principal names for the Service Account</Description>
</AttributeDefinition>
<AttributeDefinition name="shadowAccountDN" type="string">
<Description>DistinguishedName of the Linked Mailbox shadow account</Description>
</AttributeDefinition>
<AttributeDefinition name="shadowAccountGuid" type="string">
<Description>ObjectGuid of the Linked Mailbox shadow account</Description>
</AttributeDefinition>
<AttributeDefinition name="msExchRecipientTypeDetails" type="string">
<Description>Type of the Microsoft Exchange recipient object</Description>
</AttributeDefinition>
<AttributeDefinition name="msDS-PrincipalName" type="string">
<Description>Name of the entity in the format "NetBIOS domain name\sAMAccountName"</Description>
</AttributeDefinition>
</Schema>
<Schema created="1713113131060" descriptionAttribute="" displayAttribute="msDS-PrincipalName" featuresString="PROVISIONING, GROUPS_HAVE_MEMBERS" hierarchyAttribute="memberOf" id="c0a801c78edd17ba818edd7fe8310205" identityAttribute="distinguishedName" instanceAttribute="" modified="1734451559698" nativeObjectType="Group" objectType="group" significantModified="1734451559698">
<AttributeDefinition name="cn" type="string">
<Description>common name(s) for which the entity is known by</Description>
</AttributeDefinition>
<AttributeDefinition name="distinguishedName" type="string">
<Description>distinguished name for which the entity is known by</Description>
</AttributeDefinition>
<AttributeDefinition name="owner" type="string">
<Description>owner (of the object)</Description>
</AttributeDefinition>
<AttributeDefinition name="description" type="string">
<Description>descriptive information</Description>
</AttributeDefinition>
<AttributeDefinition entitlement="true" multi="true" name="memberOf" schemaObjectType="group" type="string">
<Description>Group Membership</Description>
</AttributeDefinition>
<AttributeDefinition name="objectSid" type="string">
<Description>Windows Security Identifier</Description>
</AttributeDefinition>
<AttributeDefinition name="objectguid" type="string">
<Description>Object globally unique identifier </Description>
</AttributeDefinition>
<AttributeDefinition name="mailNickname" type="string">
<Description>Exchange Distribution Group Name</Description>
</AttributeDefinition>
<AttributeDefinition name="GroupType" type="string">
<Description>Group Type</Description>
</AttributeDefinition>
<AttributeDefinition name="GroupScope" type="string">
<Description>Group Scope</Description>
</AttributeDefinition>
<AttributeDefinition name="sAMAccountName" type="string">
<Description>sAMAccountName</Description>
</AttributeDefinition>
<AttributeDefinition name="msDS-PrincipalName" type="string">
<Description>Name of the entity in the format "NetBIOS domain name\sAMAccountName"</Description>
</AttributeDefinition>
<Attributes>
<Map>
<entry key="groupMemberAttribute" value="member"/>
</Map>
</Attributes>
</Schema>
</Schemas>
<ApplicationScorecard created="1713113131035" id="c0a801c78edd17ba818edd7fe81a0203" modified="1734451559693" significantModified="1734451559693"/>
</Application>
