We are getting this error [“Exception occurred while executing the RPCRequest: Errors returned from IQService. "Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : yr432Attribute DistinguishedNamedoes not contain expected character ,. Value supplied : yr432. HRESULT:[0x80131500]"”]
in our Sandbox.
We have unique DN generator cloud rule that generates DN in AD, that generated DN comes into ISC through identity attribute
Hi Rita,
Can you try to create the user manually in Active Directory with the details you have for the user which failed. You should be to get by searching the user → Account Activity. Please let us know the result ?
I am able to create the same identity manually in Active Directory without error. But the DistinguishedName created by rule and the DistinguishedName that got created manually is in different format. How?
Created by Rule before erroring out for an actual user
CN= lastName\, firstNameX,OU=Users,OU=Accounts,DC=mydcName,DC=dev
This is created manually for a test user.
CN= lastName L. firstName,OU=Users,OU=Accounts,DC=mydcName,DC=dev
This is the error I got in IQ-Service before creating user manually
03/20/2025-10:47:04: Info: operation → Create
03/20/2025-10:47:04[ISCREATEMAILBOX] Set to Yes
03/20/2025-10:47:04[SEND_PASSWORD] Calling send password script…
03/20/2025-10:47:02: Error: Item = → Message = Cannot find an object with identity: ‘’ under: ‘DC=mydcName,DC=dev’.
03/20/2025-10:47:02: [AFTER_CREATE] Exiting SailPoint After Creation rule
03/20/2025-10:47:03: Error: Item = → Message = Cannot find an object with identity: ‘’ under: ‘DC=mydcName,DC=dev’.
03/20/2025-10:47:03: [AFTER_CREATE] Exiting SailPoint After Creation rule
03/20/2025-10:47:04: Error: Item = → Message = Cannot find an object with identity: ‘’ under: ‘DC=mydcName,DC=dev’.
03/20/2025-10:47:04: [AFTER_CREATE] Exiting SailPoint After Creation rule
I always question such an elaborate set of logic just to get an LDAP object to stick (have a unique DN), spraying the tree with logic fragmentation / permutations. Like, with or without automation, the variations of CN / DN makes getting to an object difficult without having to do a search first…because you don’t have a singular CN format to form a DN without searching. Something I’d say is traditionally considered poor LDAP management.
Hi Rita,
Can you do one think remove the AfterCreate Script from the native execution and try to check if you are able to create the user. I am suspecting the issue with the Powershell script. Let me know you results after the same.
Hi @j1241,
So the user got created after removing the Powershell script ? The issue may be with the script and not with the username you are generating ?
I also feel there is nothing wrong with the script.
I think it is related to Account Request
This is what account request for failed identity
[AFTER_CREATE] Request as XML object is: <AccountRequest application="Active-Directory-Dev [source]" op="Create" nativeIdentity="staffid">
The account request should look like this
[AFTER_CREATE] Request as XML object is: <AccountRequest application="Active-Directory-Dev [source]" op="Create" nativeIdentity="CN= lastName\, firstNameX,OU=Users,OU=Accounts,DC=mydcName,DC=dev">
Hi Rita,
What is the accountId attribute in Active Directory ? This is the nativeIdentity attribute. I think it is pointing to samAccountName. Change it distinguishName and it should solve your issue.
