Deprovision non-local

Hi,

I’m trying to deprovision a domain account who is part of local group : ADMINISTRATORS on windows server. But it is throwing me the below error.

errors

["Exception occurred while executing the RPCRequest: Errors returned from IQService. \"Exception occurred while provisioning group WinNT://testserver/Administrators,group, Exception has been thrown by the target of an invocation.InnerException:A member could not be added to or removed from the local group because the member does not exist.\n Or it might be non-local user\""]

Could someone help me with possible solutions fore deprovisioning the domain accounts from local groups.

Hi,

I also tried revoking an entitlement for an local user, But that also failed with below error. Could someone help me to confirm if i’m missing anything to deprovision access on windows local source.

[“Exception occurred while executing the RPCRequest: Errors returned from IQService. "Exception occurred while provisioning group WinNT://testserver/Users,group, Exception has been thrown by the target of an invocation.InnerException:A member could not be added to or removed from the local group because the member does not exist.\n Or it might be non-local user"”]

Domain admin accounts are protected.
Can you verify if the account has an attribute called adminCount and if it is set to 1 ?

The adminCount attribute is found on user objects in Active Directory. This is a very simple attribute. If the value is or 0 then the user is not protected by the SD Propagation. If the value of adminCount is set to 1 that means the user has, or has been a member of a protected group. The value can be seen in ADUC or ADSIEdit or LDP.

If adminCount is not set you can enable logging on the IQService to get a more in dept error message. See IQTrace Logs - not tracked for information to enable logging fro IQService.

– Remold

@Remold

Thanks for your response, Do we need to set the attribute :admincount = 1 even for the domain accounts?

Currently we are just trying to deprovision the domain accounts and not domain admin accounts.

Also we are facing the same error when tried to deprovision the local user access on windows local source.

adminCount is automatically set by Active Directory when an account is added to protected objects/groups. See Using Active Directory’s AdminCount Attribute to Find Privileged Accounts
Since you experience the same with local accounts, I doubt this is related.

To validate your question and what you want to do:
There is a domain account which is a member of a local ‘Administrators’ group. You want to remove the account from this group.

A domain account does not exist locally on a system (only a profile if the user has logged on), the system is using the domain for the authentication. So it is not possible to remove the account, since it is not there.

The is a powershell command to remove members from a local group which can also remove domain accounts from the same: Remove-LocalGroupMember (Microsoft.PowerShell.LocalAccounts) - PowerShell | Microsoft Learn

I have an idea to create something for IdentityIQ, however for IdentityNow I have no clue how to run this command

– Remold

Thanks for your response.

When a domain account been added to the local group : ADMINISTRATOR, During the UAR process for windows source, I excepted that IdentityNow removes the entitlement “ADMINISTRATOR” from the domain account.

I wonder how UAR / certification can be processed for those Identities who have their domain accounts on windows local group : ADMINISTRATOR.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.