Getting the below iqservice error for gmsa account creation in Sailpoint,
Error(s) reported back from the IQService - Before Script returned non-zero exit code : 1
Command to create account :
New-ADServiceAccount -Name "gmsatest" PrincipalsAllowedToRetrieveManagedPassword "gmsatest" -enabled:$true -DNSHostName "gmsatest@dev.domain.com"
The command is working when account directly created by powershell.
Getting iqservice error when executed by sailpoint using powershell
Hi @satheeshv ,
Are you using native rules to run this power shell command? can you share the IQService logs you can find them in IQService installation directory
Please share the logs from IQService.
hi @satheeshv I would check below :
Verify which account IQService is running as
Confirm that account has Create/Delete msDS‑GroupManagedServiceAccount rights in AD
Ensure the ActiveDirectory PowerShell module is available to the IQService runtime
Try running the exact command using runas with the IQService account
The “non‑zero exit code = 1” is expected when the underlying PowerShell command fails due to permissions.
Once IQService runs under an account with the proper AD rights, this should work.
The same service account is working fine when executed directly in powershell.
Will the account creation will work without KDS root key when executed directly in powershell.
Thanks for the information. I will verify based on the information provided.
Can you check the already existing before operation native rule, as the error is from the before script?
If possible attach it here (by removing privileged information), we can help you debug it.
My guess, there is something (a PS cmdlet) that assumes an account as user account and does somethings which is failing for gMSA
@satheeshv Could you please share your native rule which you are trying? possibly something is wrong over there.