Problem Statement :
I am using an Active Directory (AD) Direct connector in Sailpoint IdentiyIQ.
I deleted an existing user directly from AD. Then,created new account for the same user through Sailpoint IdentiyIQ and the account was created successfully.I could See account in Manages System.
However,when I tried to disable the account,I encountered the following error.I tried this scenario both without moving user to different OU and by Moving the user in different OU.By adding AC_NewParent and Removing
AC_NewParent in the provisioning policy respectively.
I got below error in both cases Error(s) reported back from the IQService - Error occurred while disabling the account CN=XXXX,OU=Accounts,OU=Uat,OU=SailPoint,DC=XXXX,DC=XXXXFailed to connect to the server for CN=XXXX,OU=Accounts,OU=Uat,OU=SailPoint,DC=XXXX,DC=XXXX:There is no such object on the server. 0000208D: NameErr: DSID-0310028D, problem 2001 (NO_OBJECT), data 0, best match of: ‘OU=Accounts,OU=Uat,OU=SailPoint,DC=XXXX,DC=XXXX’ . HRESULT:[0x80072030] Possible reasons for failure include a) The Domain Controller is currently not reachable b) The object has either been moved or renamed c) The object has been deleted Please Ensure the data has been aggregated before performing the operation
AD returns this error when the account doesnt exists, the OU doesnt exist in case of account moving or if you dont have the permissions for the operation. Maybe you can see and create the account but the service user doesnt have any others permission.
Try to use Apache Directory Studio and configure the connection like the AD connector and try on it. If you have the same errors it could be possible the problem is on permission. Otherwise, the error could be on IIQ side, on your rules.
Hi @enistri_devo
I checked in Apache directory Studio and able to move the account from One OU to another.Service account has permission.
We are not maintaining any rule to move account . In Provisioning Policy Set AC_NewParent attribute
good, so come back to the error AD says that cant find the account you are managing.
It could pass for some reasons; for example to information that you have on IIQ are not updated and the account is not the OU stored in IIQ or something happen before or during your operation(AD policies for example).
In your case, I think cuold depends of the order of operation. Can you explain me what are you doing here?
If you move the account first and later you disable the account in the same plan, can return this error.
A possible solution you disable the account and move it in a after prov rule.
Did all operation modify, enable, disable user all work fine
I delete the user Directly from AD
Again create the same user in AD through IIQ i am able to create it But now I am not to do operation for this user even modify request
I check ProvisioningRequest
Native Identity its picking oldNativeIdentity CN=xyz, ou=disabled, dc=sailpoint, dc=local
It should set Native Identity CN=xyz, ou=account
That we recently created