Handling Leaver Process Exception When AD Account is Already Deleted

Hi everyone,

I’m working on a scenario where a user exists in three sources — authemployee (delimited file), authoritative (JDBC), and Active Directory.

I manually deleted the user from VMware, which also removed the user from Active Directory. Later, when I triggered the Leaver process in SailPoint IdentityIQ, I encountered the following error:

Error(s) reported back from the IQService - Error occurred while disabling the account cn=Sami.Rai,OU=Users,DC=IIQAD,DC=com
Failed to connect to the server for cn=Sami.Rai,OU=Users,DC=IIQAD,DC=com:
There is no such object on the server. 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=IIQAD,DC=com'.
HRESULT:[0x80072030]

Possible reasons for failure include:
a) The Domain Controller is currently not reachable  
b) The object has either been moved or renamed  
c) The object has been deleted  

Please ensure the data has been aggregated before performing the operation.

Now, I want to handle this exception gracefully — if the user’s Active Directory account has already been deleted, the Leaver process should ignore the AD application and continue deleting or disabling the user from the other sources (authoritative JDBC and authemployee delimited file), instead of throwing an error.

Has anyone implemented a similar scenario or handled such exceptions (for example, using rules or workflow logic) so that the process can skip AD provisioning if the account no longer exists?

Any guidance or best practices would be really helpful.

Thanks in advance!
— Ishita

@Ishita31

In the after provisioning rule, take the provisioning result object and check the status and message of the result object. Write a logic such if any specific keyword is matched then change the status and message.

Update the object with the new message.

can i go with leaver workflow like adding some script??can i achieve this via workflow?

Just a quick approach and you can further explore on this , You can create a step in Leaver workflow , and call the single account aggregation . If you don’t get the account back , it means account is removed . you can drop the request from plan .

Yes, if it is custom workflow then in the workflow only you can write your logic to check if the account exists or not. If it exists then go to normal step to remove the AD account otherwise create a step that will not skip the user.

I would suggest you to put a check condition in your workflow, create a rule. Reference the rule, the rule basically checks, the links of the user, if it gets ad links, it proceed with deletion, else it skip ad deletion.

Hi Ishita maybe this works out :
Add a “Check AD Account Exists” step in your Leaver Workflow before the AD Disable/Delete step.

1. This step should call a custom rule that:

   • Fetches the identity’s AD link(s).

   • If AD link(s) exist → proceed to disable.

   • If not → skip the AD provisioning plan and move to next applications.

2. Optionally, trigger a Single Account Aggregation for AD before the check — to ensure SailPoint’s view is up-to-date.
3. This ensures:

   • No “NO_OBJECT” or “User doesn’t exist” errors.

   • The workflow continues for JDBC and Delimited File applications.

import sailpoint.object.*;
import sailpoint.api.SailPointContext;
import java.util.List;

Identity identity = (Identity) workflowContext.get(“identity”);
SailPointContext context = workflowContext.getContext();

// Get AD links
List adLinks = context.getObjects(Link.class,
new sailpoint.object.Filter.And(
new sailpoint.object.Filter.Equal(“identity.name”, identity.getName()),
new sailpoint.object.Filter.Equal(“application.name”, “Active Directory”)
)
);

if (adLinks == null || adLinks.isEmpty()) {
// No AD account found – skip AD provisioning
workflowContext.setVariable(“skipAD”, true);
} else {
workflowContext.setVariable(“skipAD”, false);
}
return;

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.