Executing AfterCreateRule following Active Directory Account creation

acosson · February 9, 2026, 2:12pm

Hi team,

My goal is to trigger an AfterCreate Rule following an Active Directory account creation.

I have followed the below link and have attached the Rule : Before and after operations on source account Rule | SailPoint Developer Community

The rule should trigger the execution of a Powershell script hosted on IQService server.

The script is effectively placed in the indicated folder.
The AfterCreate Rule is deployed on the tenant using the /beta/connector-rules endpoint (see screenshot 1 below)
The AfterCreate Rule has been updated on the Active Directory source (see screenshot 2 below)

The current behaviour is that it seems the rule is not getting executed at all.

From ccg.log, I tried to simplify the rule but I cannot find any specific exception, so I would be keen to have the attached rule reviewed or if I am missing any piece of configuration.

Thank you very much !

ActiveDirectory-AfterCreateRule.xml (2.7 KB)

YanCoelho · February 9, 2026, 2:38pm

Do you have TLS enable?

vguleria · February 9, 2026, 2:46pm

Hi @acosson

I had a quick look on the rule and see it should be fine. Before digging deep into the syntax etc , can you please check the following

Do you see the logs of after create connector rule on VA ?
Can you please check the IQTrace file logs if there is any new entry being populated. Most likely what i have seen in my case was that if the powershell script tries to run and it ends up failing then this might happen. So you can have a look at this file.
You can also try to run the powershell locally without the rule to ensure that it runs fine.

I hope this helps.

Regards
Vikas.

j_place · February 9, 2026, 2:59pm

Hi @acosson You appear to have included the whole rule in the sourceCode/script section, rather than just the script. Double check the body you are sending to the API.

acosson · February 9, 2026, 5:13pm

Yes TLS is enabled we are using port 636.

acosson · February 9, 2026, 5:15pm

Hi,

I was not seeing the logs of After Create Connector Rule in VA but will replace with a simple Log.error, check and revert.
I will check these. Since I am on ISC, could you indicate where this file is located ?
We already tried executing the powershell script and this is working as expected so issue is on the AfterCreationRule for me.

acosson · February 9, 2026, 5:17pm

Thanks Jeremy, would you have a quick overview of how should it look as a JSON to match your recommendation ?

vguleria · February 9, 2026, 5:41pm

Hi @acosson

Sorry, my bad. For the iq traces, you should check this. Here you can find the location of your logs and thus can see if there is anything at all.

Atleast this will help in understanding whether the iq service folder is being called properly or not.

Thank You
Regards
Vikas.

j_place · February 9, 2026, 6:29pm

AFK at the moment, but, FWIK, you just want the beanshell in the source code block, escaped, obvs. Will need some input objects as attributes.

YanCoelho · February 9, 2026, 7:16pm

In your rule JSON there`s no need to send the XML, just the code!

acosson · February 9, 2026, 10:16pm

Thanks, I have update the JSON accordingly to have just the code inside script and the rest as attributes (see screenshot below). I also fixed the path to the PS script which was hosted in a different folder.

Yet, the rule seems not to be executed, I am looking for any relevant keyword to get appropriate information from VA logs if you got some.

iamnithesh · February 9, 2026, 11:04pm

You can easily add and update connector rules using VS Code with ISC Extension

acosson · February 9, 2026, 11:08pm

In fact I saw the following exception raised afterwards :

Failed to execute native after provisioning Script. ScriptExecutor is not available. One of the possible reasons for internally disabling the ScriptExecutor is presence of non-TLS port port configured on the IQService

However, on Active Directory source, all configurations related to usage of TLS are checked.

I will check if IQService is effectively installed on both TLS and non-TLS ports, which may cause the issue too.

Peddapolu · February 10, 2026, 1:53am

Hi @acosson ,

The PowerShell script was reviewed, and it is missing the Active Directory module import into PowerShell. You need to add this line on line 42 in your PowerShell script.

Refer to the SailPoint class library, which requires PowerShell v2 to be installed on the system:

Add-Type -Path Utils.d11;
#import AD endlets
Import-Module activeDirectory

I hope this should work.

Thanks,

PVR.

j_place · February 10, 2026, 8:33am

Hi @acosson This is not about the use of TLS, this is about the disabling of non-TLS. See Recent Updates

Topic		Replies	Views
AD After Create Connector Rule not executed ISC Discussion and Questions rules , identity-security-cloud , provisioning , connectors , virtual-appliance , iqservice , active-directory	13	218	October 28, 2025
Execute Powershell Script after creating AD Account ISC Discussion and Questions rules , identity-security-cloud , provisioning , access-requests	2	327	March 11, 2025
Sailpoint ISC after prov rule ISC Discussion and Questions identity-security-cloud	4	145	October 19, 2025
AD AfterCreate Powershell Script fails: After script returned non zero exit code : 1 ISC Discussion and Questions identity-security-cloud	8	199	August 18, 2025
Unable to trigger the Power shell script using Custom connector Rule (AfterCreate Rule) ISC Discussion and Questions rules , identity-security-cloud	8	183	August 16, 2025

Executing AfterCreateRule following Active Directory Account creation

Related topics