IdentityNow Inactive Lifecycle State Not Disable AD

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Sailors,

I am trying to configure the Leaver lifecycle state to disable an AD account when the user’s status changes to Inactive.

image
image2196×388 17.9 KB

image
image1286×557 24.6 KB

However, after the identity changes to Inactive, the access is removed, but the AD account is not disabled and moved to the Disabled OU.

image
image1381×546 24.4 KB

For my AD source, I already have a PowerShell script in place that handles OU movement on department change, and it works as expected. The script also includes logic for handling the “Disable” operation and moving users to the Disabled OU:

 LogToFile("Entering Main Script")

    $nativeIdentity = $requestObject.NativeIdentity
    $operation = $requestObject.Operation
    $Targeted_OU = ''

    # Debug logging to see what values we're getting
    LogToFile("Native Identity = $nativeIdentity")
    LogToFile("Operation = $operation")
    LogToFile("Operation Type = $($operation.GetType().Name)")
    
    # Log all available properties for debugging
    LogToFile("Request Object Properties:")
    $requestObject | Get-Member -MemberType Property | ForEach-Object {
        $propName = $_.Name
        $propValue = $requestObject.$propName
        LogToFile("  $propName = $propValue")
    }

    if ($requestObject.Operation -eq 'Disable') {
        LogToFile("Processing Disable operation")
        
        $terminatedOU = 'OU=DisabledOU,OU=ISC_Users,DC=demo,DC=info'

        #Moving the AD User to terminated OU
        Move-ADObject -Identity $nativeIdentity -TargetPath $terminatedOU

        LogToFile("User moved to $terminatedOU OU")
        LogToFile("COMPLETED")
    } 
below is remaining code for handle mover does not paste here

Upon checking the logs, I noticed that when the identity status changes to Inactive, the operation is detected as “Modify”, not “Disable”—which explains why the script does not move the user to the Disabled OU.

Any idea why it does not detect as “Disable”?

2

I guess you have updated to TLS port recently/IQservice. If so please delete non-TLS port entry from IQ service registry. Then script works

3

To disable account in a specific source you need to add the source under “Disable Accounts” here

image
image1193×629 19.6 KB

4

Hi @iamnithesh ,

image
image1035×181 8.02 KB

I think AD source to disable added in my identity profile.

5

Hi @HussainshaSyed001 ,

If so, my OU movement for department change should not be success as well. So I guess might not be the TLS port issue.

1 Like
6

Hi
My suspect is

  1. Operation string mismatch or case sensitivity( Maybe the operation is 'disable' (lowercase) or 'Deactivate' or something else.)
  2. try to Add a lookup to get the DN before disabling/moving
  3. The account running the script or lifecycle task must have rights to disable accounts and move AD objects
7

Hi @Bernardc,

Do you have any before provisioning rule tied to your AD source that could be altering the plan and changing the disable operation to something else.?

8

Hi @jesvin90 ,

Yes, there is an after modify rule attached to my AD source.

LogToFile("Entering Main Script")

    $nativeIdentity = $requestObject.NativeIdentity
    $operation = $requestObject.Operation
    $Targeted_OU = ''

    # Debug logging to see what values we're getting
    LogToFile("Native Identity = $nativeIdentity")
    LogToFile("Operation = $operation")
    LogToFile("Operation Type = $($operation.GetType().Name)")
    
    # Log all available properties for debugging
    LogToFile("Request Object Properties:")
    $requestObject | Get-Member -MemberType Property | ForEach-Object {
        $propName = $_.Name
        $propValue = $requestObject.$propName
        LogToFile("  $propName = $propValue")
    }

    if ($requestObject.Operation -eq 'Disable') {
        LogToFile("Processing Disable operation")
        
        $terminatedOU = 'OU=DisabledOU,OU=ISC_Users,DC=demo,DC=info'

        #Moving the AD User to terminated OU
        Move-ADObject -Identity $nativeIdentity -TargetPath $terminatedOU

        LogToFile("User moved to $terminatedOU OU")
        LogToFile("COMPLETED")
    } 
below is remaining code for handle mover does not paste here
9

I could suggest one thing till the root cause is identified…!!

Have a Workflow Trigger upon Identity Lifecycle changes to Inactive, and disable all the sources using Workflow Actions 1. Get Accounts and 2.Manage accounts

Let me know if that helps..!!

10

Hi @vdivakar ,

Yes workflow is triggered, but account is not disable in AD.

11

Why don’t you use ootb service standard before provisions rule provided by Sailpoint ?

12

Hi @vishal_kejriwal1 ,

Ya, was about to take down the rule and try ootb can disable AD account or not. But my testing tenant seems is currently unavailable. Will update once the tenant back to normal.

13

can you please let me know it is account is not disabled but moved to disabled OU or account is not disabled and it also not moved to disabled OU?

14

Hi @vishal_kejriwal1

I have taken down the rule. And triggered leaver event. The account is not disable.

Hi @HussainshaSyed001 ,

It is not disable in AD, and not move to disable OU as well.

15

then for now we can suspect as follows
1)disable operation may be triggered before all necessary processes have completed that causing it to fail.
2)if delta aggregation enabled? disable it
3)service account may be locking to disable due to permissions
4)sync issue
5)check account lock status attribute is configured properly
Frankly am not sure which might in your case please

16

Hi @HussainshaSyed001 ,

  1. Access was removed, just account is not disable.
  2. Delta aggregation is not disabled
  3. IQS service account is administrator, should have enough access to disable account.
  4. Do you mean attribute sync issue?
  5. May I know which attribute specifically?
17

@Bernardc
Well in that case the last thing I would check is the AD Service Account Permission to make AD account Enable and Disable.

Also, if in the AD there are any policies implemented which is preventing the account disablement using this service account..

18

Hi @vdivakar ,

AD account is administrator, should have the right access as well. Also, I did try disable it manually in the AD login with the service account.

Regarding policy, I believe there is none, as I am using the same AD for identityIQ demo, and the disablement is possible.

19

yes attribute sync issue and there in AD there will be account lock status attribute
also take very peculiar issue called timing issue as i stated: disable operation may be triggered before all necessary processes have completed that causing it to fail

20

@Bernardc
Could you add powershell statement to disable the AD account once it is moved to disable OU,
I am not sure why sailpoint it not doing it, but when you say that account is being moved to terminated ou but not getting disabled, I believe Sailpoint Expects your powershell script to take care of that part as well.

I am also suspecting that, before SailPoint could actually disable the AD account, the script is moving that account to terminated OU and since the account is no longer in the OU that it were before, SailPoint is not able to find it so that it can disable..!!

So, ya, that would be my next suggestion, disable account using your powershell code itself…