How to Filter Out Domain Users Entitlements on Remove All Access

ZCaro · February 16, 2026, 8:37pm

Hi,

I’m running into an issue when enabling “Remove All Access” on the Inactive lifecycle state for Active Directory sources.

I receive the following error related to Domain Users:

["Failed to update attribute memberOf Error occurred while setting group membership CN\u003dDomain Users,CN\u003dUsers,DC\u003dDomain,DC\u003dcom. The server is unwilling to process the request. The server is unwilling to process the request. 0000055E: SvcErr: DSID-031A126A, problem 5003 (WILL_NOT_PERFORM), data 0 0000055E: SvcErr: DSID-031A126A, problem 5003 (WILL_NOT_PERFORM), data 0 . HRESULT:[0x80072035]"]

I understand, this is happening because Domain Users is the primary/default group in AD and cannot be removed like a normal group membership.

After reviewing other posts, I believe the correct approach is to modify the plan using a Cloud Before Provisioning Rule to exclude “Domain Users” from any memberOf removal operations triggered by “Remove All Access.”

My Questions:

Is using a Cloud Before Provisioning Rule the best practice for handling this scenario?
Does anyone have a sample code snippet that filters out “Domain Users” from the memberOf removal list?
Is there a cleaner approach within SailPoint (IdentityNow / ISC) configuration to prevent this group from being targeted during Remove All Access?

Any guidance or examples would be greatly appreciated.

Thanks

iamnithesh · February 16, 2026, 9:15pm

I don’t think this setting is trying to remove the Domain users membership from the user. Have you looked at other settings that might be trying to remove this group? May be this is included in a BR role that the user is losing due to LCS change which is triggering the removal process?

ZCaro · February 16, 2026, 9:34pm

I only see this error when I turn on the “Remove all Access” setting. We do have the Services Standard Before Provisioning Rule on our AD sources. That is what we were using to remove entitlements before the new feature became available. I removed the old logic from the source and am only removing entitlements through the lifecycle state on the identity profile.

Do you have this feature enabled and you don’t get these errors?

Do you mean one of my BR roles has the domain users entitlement added to it?

YanCoelho · February 16, 2026, 11:02pm

Hello,
Unfortunately there’s no way to apply filters!What you can do is filter Domain User group to not be aggregated!

mcheek · February 17, 2026, 11:46am

The “workaround” for this is to add the access you wish to keep in the access profile section of the lifecycle state

iamnithesh · February 17, 2026, 1:52pm

Yes, I have used this few times and do not remember seeing the error you mentioned.

Yes, this is what I meant

mcheek · February 17, 2026, 10:09pm

Since @iamnithesh suggested this fix, can you please credit him with the solution?

Topic		Replies	Views
Getting error while removing all AD groups while user offbaording ISC Discussion and Questions identity-security-cloud	5	298	July 6, 2025
How to Exclude remove entitlements from terminated team members ISC Discussion and Questions identity-security-cloud	6	113	January 14, 2026
Remove AD groups ISC Discussion and Questions	3	3278	July 19, 2023
Active directory entitlement removal ISC Discussion and Questions identity-security-cloud , lifecycle-management	4	919	December 24, 2023
NOT memberOf - does it exist ISC Discussion and Questions identity-security-cloud , connectors , entitlements	5	130	November 29, 2024

How to Filter Out Domain Users Entitlements on Remove All Access

Related topics