I encounter connector rule problem.The type is ConnectorAfterCreate.the script is here :
ConnectorAfterCreate.ps1 (3.2 KB)
the logic is below:
1.I get the department from accountRequest Object.
2.get the AD group which name is the same as department via command
3.compare the department name to default name
4.if the result is not the same,remove member from default group and add to department group;if the result is the same,do nothing
Now when ISC execute the if ($cn.Equals($dep)){… block will trigger error.The message is here :
Create operation is successful but post script execution failed : After script returned non zero exit code : 1 :
I am sure the variable $cn and $dep is String Object.But I don’t know what reason trigger error.How to solve it?
Please check this out, if it helps https://developer.sailpoint.com/discuss/t/after-script-returned-non-zero-exit-code-1/67659/1
Why you are seeing “After script returned non-zero exit code : 1”
The message means IQService did finish creating the account in Active Directory, but when it tried to launch the PowerShell file configured in Native Rules → AfterCreateScript, that script ended with an exit code other than 0.
IQService therefore rolls the provisioning back to avoid leaving the new AD object in an indeterminate state.
Because PowerShell sets its process exit code to 1 whenever an un-handled error is written to the error stream, even a single warning inside your script is enough to trigger this rollback. Your test file is already doing several things that commonly throw such errors:
| Line | What might fail | Typical symptom |
|---|---|---|
Import-Module ActiveDirectory |
RSAT tools not installed, or the IQService service account does not have permission to load the module | The term ‘Get-ADUser’ is not recognized … |
Add-Type -Path "C:\SailPoint Files\IQService\Utils.dll" (and the second Add-Type utils.dll) |
Typos in the path, 32-/64-bit mismatch, or the same assembly being loaded twice | Add-Type : Cannot add type. The type name already exists. |
Using $env:Request |
REQUEST is only present when IQService actually populates it; running the script from a normal PowerShell prompt leaves it $null, so StringReader throws |
Exception calling “StringReader” with “1” argument(s): Value cannot be null. |
| Writing the log file | If the IQService Windows service account cannot create or append the file | Out-File : Access to the path … is denied. |
Any of the above will bubble up as an unhandled error → PowerShell sets $LASTEXITCODE = 1 → IQService interprets that as failure.
A quick way to prove the script is fired
Replace the entire file with just three lines and redeploy:
Start-Transcript -Path "C:\SailPoint Files\IQService\Logs\aftercreate_debug.log"
"AfterCreate fired at $(Get-Date)" | Out-File "C:\SailPoint Files\IQService\Logs\aftercreate_marker.log" -Append
Stop-Transcript
exit 0
- Create or disable the user again from IdentityNow.
- If the aftercreate_marker.log appears (and the task still rolls back), you know the script is launching but returning ≠ 0.
- If the file never appears, IQService isn’t finding or executing the script at all (wrong path, wrong NativeRule name, or execution policy blocking).
Hardening the full script
Below is a minimal skeleton that safely loads SailPoint libraries, writes a log, and always ends with an explicit exit 0 unless a trapped error occurs. It shows exactly where to add your own logic later.
<# AfterCreateScript.ps1 – template #>
$ErrorActionPreference = 'Stop' # any error now becomes terminating
Set-StrictMode -Version Latest
# --- Configurable paths ----------------------------------------------------
$iqhome = 'C:\SailPoint Files\IQService'
$logRoot = "$iqhome\Logs"
$libDir = "$iqhome\Utils"
$logFile = Join-Path $logRoot ("AfterCreate_{0:yyyyMMdd}.log" -f (Get-Date))
# --- Helper ----------------------------------------------------------------
function Write-Log {
param($msg)
$msg | Out-File $logFile -Append
}
try {
#--- Startup banner
Write-Log "---- AfterCreate started $(Get-Date -Format o) ----"
#--- Load SailPoint utils
Add-Type -Path (Join-Path $libDir 'Utils.dll')
#--- Load AD cmdlets **only if needed**
Import-Module ActiveDirectory -ErrorAction Stop
#--- Parse the request XML from environment
$reqXml = $env:REQUEST # variable is case-insensitive
Write-Log "Raw request length: $($reqXml.Length) characters"
$reader = New-Object System.IO.StringReader $reqXml
$xmlRd = [SailPoint.Utils.Xml.XmlUtil]::getReader($reader)
$acctReq = New-Object SailPoint.Utils.Objects.AccountRequest($xmlRd)
#--- YOUR POST-CREATE LOGIC GOES HERE
# … e.g. set attributes, send e-mail, etc.
Write-Log "AfterCreate completed successfully"
exit 0 # explicit success
}
catch {
Write-Log "ERROR: $($_.Exception.Message)"
Write-Log $_ | Out-String
exit 1 # bubble failure to IQService
}
finally {
Write-Log "----------------------------------------------------`n"
}
Key take-aways
| What | Why it matters |
|---|---|
$ErrorActionPreference = 'Stop' |
Forces any problem to jump into the catch block where you can log details and decide the exit code intentionally. |
exit 0 / exit 1 |
Never rely on PowerShell’s implicit exit logic; IQService checks the native process exit code. |
Import-Module ActiveDirectory inside try |
If the module isn’t present the script fails before touching AD objects, and you get a clear error in the log. |
One Add-Type |
Loading the same assembly twice throws a (non-terminating) warning that still yields exit-code 1 when $ErrorActionPreference is Stop. |
| Run the script by hand | In a PowerShell console on the IQService host, simulate IQService by setting $env:REQUEST = "<dummy/>"; .\AfterCreateScript.ps1 and watch for errors. |
Common root causes & remedies
| Symptom in IQService log | Likely root cause | Fix | |
|---|---|---|---|
| Cannot load ActiveDirectory | RSAT tools missing on the IQService host, or the service account lacks module files in $env:PSModulePath |
Install “Active Directory Domain Services and LDAP Tools” (RSAT) and restart the IQService service. | |
| Access denied writing log | File ACL denies write to the service account (e.g., Local System or a dedicated AD account) | Grant Modify on the folder, or move logs to a location the account can write. | |
| Execution policy error | Host still uses the default Restricted policy |
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine (or sign the script). |
|
| Assembly already loaded | Duplicate Add-Type |
Remove the second call or wrap it in `if (-not ([AppDomain]::CurrentDomain.GetAssemblies() | where {$_.GetName().Name -eq ‘Utils’})) { … }`. |
Can you please try the above and see if it works fine ?
Some common checks to do
Validate if IQService/Utils.dll file is unblocked.
- In your IQService Server navigate to IQService folder right click on Utils.dll file and click on Properties. If it is blocked you will see a checkbox to Unblock it, check that box and Click on Apply.
Sometimes, it is the PowerShell execution policy on the server that blocks the generated scripts from running. You can change policy and check if that resolves your issue.
Verify your server is not blocking the script execution. Sometimes we have firewalls, antivirus software etc that block PS script executions. Work with your Network team to fix and resolve these.