Getting AD connector Error while resetting the password through Before provisioning rule when accounts is getting disabled on Termination

Hi Team,

We are attempting to move the user to the suspended OU and reset their passwords when accounts are disabled during LCS “Terminated.” However, we are encountering the following error while carrying out these actions through the Before provisioning rule in the AD connector in ISC.

Error:
Failed to update attribute password Error occurred while setting group membership CN=Domain Users,CN=Users,DC=xyz,DC=Com. Access is denied. Access is denied.

We are having the required permissions to reset the password .

Hi @OviyaLoganathan Does your script also attempt to remove all groups? If so, you need to ensure it doesn’t attempt to remove Domain Users.

By looking at the error, the issue is it is trying to revoke the Domain Users group. You cannot remove the Domain Users group though you have an enough permission. It is a default built-in global security group that automatically includes all user accounts. So, please check whether your provisioning plan included the remove Domain Users group and ignore it, if it is to do so.

Removing the users through “Remove all access” features which has been enabled in IdentityProfile

just a minor clarification - you actually can remove Domain Users, just not if it’s the user’s Primary Group. if you change the Primary Group to something else, you should be able to remove them from Domain Users. the user just has to remain in some group and have that set as their Primary Group.

Try to ignore the Domain Users group from “Remove all access“ by using How to Filter Out Domain Users Entitlements on Remove All Access - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community and see whether it works for you.