I am getting below error when I am trying to remove all AD groups assigned to user after termination with the help of before provisioning rule.
Error : Failed to update attribute memberOf Error occurred while setting group membership CN=Domain Users,CN=Users,DC=sailpoint,DC=lan. The server is unwilling to process the request. The server is unwilling to process the request.
I read some of the post related to this and I get this is a default membership group assigned to every user and this is intended error. Could you please suggest how can I ignore this primary group with LDPA search filter in Group search scope option or any other option so that it does not comes under memberof group search.
I do not want to change my BP rule logic.
Exclude any group where the CN (Common Name) is Domain Users
So effectively, the "Domain Users" group won’t show up in the memberOf attribute during account aggregation or group operations, and you won’t have to change your rule.
Thank you for your response. I added below LDAP filter but still getting same error. I have added the CN for our domain users group in the filter and then tried to offboard user but same error. Do I need to add domain users group ID also in filter eg: “primaryGroupID=515”
“(&(objectCategory=group)(!(CN=Domain Users,CN=Users,DC=sailpoint,DC=lan)))”
After saving the filter, have you performed below steps :
Re-aggregate Groups
Re-aggregate Accounts (delta is fine)
Run an Identity Refresh
This will Clears the stale Domain Users entitlement that was imported before the filter, so future terminations won’t reference it.
Quick checklist
Edit AD source → Group Search Filter and paste the NOT-filter as described in the above post.
Save → Re-aggregate groups.
Re-aggregate accounts .
Terminate a user again — the provisioning plan will now ignore Domain Users and no longer produce the “server unwilling” error.
If, after those steps, the entitlement still appears on some identities, it means they hold the group through roles or access profiles created earlier.
The AD LDAP filter did not worked out for me, so I did added the logic in Before provisioning rule itself and it worked for me. Just use For loop to exclude “domain Users” from memberof attribute.
