How can i generate this distinguished name for AD provisioning

hey guys,

i want to generate a unique distinguished name for creaating AD account :

i have done this in create profile of AD and selected generator “create unique account id”
and used this pattern below :

CN=$(lastname),$(firstname)$(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com

example i need account in AD for AMAN PATEL so it shud be like :

CN=PATEL,AMAN(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com

SO how can i achiev it and once i have requested the provisioning i got this error :
Provisioning
Exception occurred while executing the RPCRequest: Errors returned from IQService. “Error occurred while enabling the account CN=PATEL,AMAN(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com.The server is unwilling to process the request. The server is unwilling to process the request. 0000052D: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data 0 0000052D: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data 0 . HRESULT:[0x80072035]”
SHOW LESS
KINDLY HELP !!

correction:
CN=$(lastname)(backslash),$(firstname)$(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com

CN=PATEL(backslash),AMAN(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com

i dont know why sailpoint is not displaying (backslash) so put it in words

I think the issue is with the comma (,) as part of the CN.

hey edwin but it is the requirement in AD . how we can achiev cn = lastname(backslash),firstname(A)

Why would you require a comma on the CN part of the DN? That sounds like an horrible design decision and bound to lead to issues in other systems as well.

actually in AD it is like that only the dn that is coming from AD through aggragtion.

and may i know why the error is coming and waht it is for?

Hi @Apoorv0802 ,

As @sauvee mentioned, the CN part of the distinguished name s a single-value attribute, meaning it cannot contain multiple values separated by commas.

Can you provide an example of an aggregated account from IDN that has (,) ?

Thanks.

I’ve never done this myself (again, I would strongly advise to just omit the commas and move on), but indeed you will need to escape the comma value. If the '' will not work, you could try ‘\2c’ or ‘\5c’.

Hi @Apoorv0802,

Can you try using the username generator transform and see if it works for you.

See the below thread for reference:

It’s not very uncommon to have a comma in the cn part of the dn. I have seen it at multiple places and having a \, does the job

CN=$(lastname)\,$(firstname)$(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com

use the \. Add above string for pattern under “Create Account” settings in the UI

@Apoorv0802 you can use a static transfrom for the same the genrator has some defined pattern.
However the best approach would be to use generator rule for the same

@Apoorv0802 -

The error you’re seeing is because Active Directory is rejecting the distinguished name (DN) due to a formatting issue. In AD, commas are used to separate the different components (RDNs) of the DN. When your generated CN value itself contains a comma (as in PATEL,AMAN(A)), AD misinterprets it as two separate RDNs unless you escape the comma.

What’s Happening

Your current generator pattern is:

CN=$(lastname),$(firstname)$(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com

For a user with the first name AMAN and last name PATEL, this produces:

CN=PATEL,AMAN(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com

Here, the comma in PATEL,AMAN(A) is not escaped. Active Directory interprets it as:

• CN=PATEL
• AMAN(A) (with no attribute key)

This makes the DN syntactically invalid, leading to the error:

The server is unwilling to process the request.

How to Fix It

To include a literal comma in an attribute value (like in the CN), you must escape it with a backslash. So, update your pattern to escape the comma within the CN value:

CN=$(lastname)\,$(firstname)$(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com

Now, for AMAN PATEL, the generated DN becomes:

CN=PATEL\,AMAN(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com

This tells Active Directory that the comma is part of the CN value rather than a separator between RDNs.

Steps to Implement

1. Modify the Pattern:
   In your SailPoint IdentityNow AD account create profile, change the pattern from:

   CN=$(lastname),$(firstname)$(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com
   

   to:

   CN=$(lastname)\,$(firstname)$(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com
   

2. Test the Change:
   Provision a test account (for example, for AMAN PATEL) and verify that the DN is now being generated as:

   CN=PATEL\,AMAN(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com
   

   Ensure that Active Directory accepts this DN without error.

3. Deploy:
   Once confirmed, deploy the change to your production environment.

Note:

Always ensure that any special characters in DN attribute values (like commas, plus signs, etc.) are properly escaped according to LDAP/AD standards. This will help avoid similar provisioning errors in the future.

If you have any further questions or run into additional issues, feel free to ask!

hey amit i did same but still error is coming ,

image684×490 43.2 KB

i have put CN=$(lastname)(BACKSLASH),$(firstname)$(A),OU=Employees,OU=ABC,DC=XYZ,DC=com in provisioning policy but still no provisioning

forget about this one even the default one is not happening

CN=$(lastname).$(firstname)$(A),OU=Employees,OU=XYZ Users,DC=ABC,DC=com...even this is not provisoning

Hi @Apoorv0802 - Sounds like AD could be complaining about the UserAccountControl. Are you trying to create an active account? If so, check that the password you are sending meets the AD policy.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.