Error rendering template: Nested Conditional Transform failing on AD Move logic

testipona · April 15, 2026, 4:03pm

Hi Community,

I am working on a transform to move users to specific “Disabled” OUs based on their distinguishedName and cloudLifecycleState.

The Goal:

If the user is terminated or manualTerminated:
- Check if their current AD DN contains “india”.
- If yes: Move to the India Disabled OU.
- If no: Move to the USA Disabled OU.
If they are active, return their current distinguishedName.

The Issue: I keep receiving an “Error rendering template” or “Exception while calculating value.” I suspect it is related to how variables are passed into the nested positiveCondition or how null values are handled for users without an AD account.

Here’s the current JSON:

{
    "name": "Disabled Ou Movement - Transform",
    "type": "conditional",
    "attributes": {
        "expression": "$cloudLifecycleState == 'terminated' || $cloudLifecycleState == 'manualTerminated'",
        "positiveCondition": {
            "type": "conditional",
            "attributes": {
                "dn": {
                    "type": "accountAttribute",
                    "attributes": {
                        "sourceName": "Active Directory",
                        "attributeName": "distinguishedName"
                    }
                },
                "sAMAccountName": {
                    "type": "accountAttribute",
                    "attributes": {
                        "sourceName": "Active Directory",
                        "attributeName": "sAMAccountName"
                    }
                },
                "expression": "dn.toLowerCase().contains('india')",
                "positiveCondition": {
                    "type": "static",
                    "attributes": {
                        "value": "CN=$sAMAccountName,OU=Disabled Accounts,OU=Users,OU=India,DC=spdev,DC=local"
                    }
                },
                "negativeCondition": {
                    "type": "static",
                    "attributes": {
                        "value": "CN=$sAMAccountName,OU=Disabled Accounts,OU=Users,OU=USA,DC=spdev,DC=local"
                    }
                }
            }
        },
        "negativeCondition": {
            "type": "accountAttribute",
            "attributes": {
                "sourceName": "Active Directory",
                "attributeName": "distinguishedName"
            }
        }
    }
}

Questions for the experts:

Do I need to re-declare sAMAccountName and dn inside the nested positiveCondition attributes block?
How can I safely handle the .contains() check if the distinguishedName attribute is null for a specific user?
Is there a more efficient way to achieve this using a single static transform with Velocity instead of nested conditionals?

Any guidance would be greatly appreciated!

baoussounda · April 15, 2026, 4:18pm

Hi @testipona

I will simply it with by using only static :

{
  "name": "Disabled Ou Movement - Transform",
  "type": "static",
  "attributes": {
    "cloudLCS": {
      "type": "identityAttribute",
      "attributes": {
        "name": "cloudLifecycleState"
      }
    },
    "dn": {
      "type": "accountAttribute",
      "attributes": {
        "sourceName": "Active Directory",
        "attributeName": "distinguishedName"
      }
    },
    "sAMAccountName": {
      "type": "accountAttribute",
      "attributes": {
        "sourceName": "Active Directory",
        "attributeName": "sAMAccountName"
      }
    },

    "indiaOU": {
      "type": "static",
      "attributes": {
        "value": "OU=Disabled Accounts,OU=Users,OU=India,DC=spdev,DC=local"
      }
    },

    "usaOU": {
      "type": "static",
      "attributes": {
        "value": "OU=Disabled Accounts,OU=Users,OU=USA,DC=spdev,DC=local"
      }
    },

    "value": "#if($cloudLCS == 'terminated' || $cloudLCS == 'manualTerminated') #if($dn && $dn.toLowerCase().contains('dc=india')) CN=$sAMAccountName,$indiaOU #else CN=$sAMAccountName,$usaOU #end #else $dn #end"
  },
  "internal": false
}

testipona · April 16, 2026, 7:51am

Hi @baoussounda , thank you for this! We were able to successfully change the DN value using the code. It also correctly retrieves the existing DN when neither condition is met. We truly appreciate your help, thank you so much!

Topic		Replies	Views
Question about using an identity attribute in the negativeCondition of a conditional transform ISC Discussion and Questions identity-security-cloud	3	64	November 28, 2025
Condition in Transform is not working ISC Discussion and Questions transforms , identity-security-cloud , provisioning	13	1240	June 23, 2023
Conditional Transform not evaluating Positive Condition ISC Discussion and Questions identity-security-cloud	3	102	June 20, 2025
Lifecycle Transform issue ISC Discussion and Questions	4	2831	July 19, 2023
Transform is always going to Negative Condition ISC Discussion and Questions transforms , identity-security-cloud	20	99	April 6, 2026

Error rendering template: Nested Conditional Transform failing on AD Move logic

Related topics