Issue setting GroupScope when provisioning group to Active Directory

Which IIQ version are you inquiring about?

Version 8.3

Please share any images or screenshots, if relevant.

Share all details related to your problem, including any error messages you may have received.

Currently experiencing issues when provisioning an Active Directory group through an ObjectRequest. The group is successfully created on the directory as expected, but the groupScope is always defaulted to “Global” even if we pass “Universal” or “DomainLocal” as the desired GroupScope. Anyone have any ideas what may be going wrong here? Could it potentially be an access issue with the ID being used to do this provisioning? Screenshot of code attached, have tried to pass both “GroupScope” and “GroupType” in the attribute request and neither has worked.

There might be below issues

Directory Permissions: The service account used by IdentityIQ to connect to Active Directory should have sufficient permissions to create and modify groups with different scopes.

Directory Configuration: Active Directory has certain rules about when and where you can create Universal and DomainLocal groups. For example, to create a Universal group, the domain must be in native mode.

Hi Connor,
In line 2 you set target integration to LDAP. Do you have any reason to do that instead of calling AD conector in the OoTB way?

Reason why I am asking is that ad connector is using RPC to execute provisioning and for sure supports provisioning of different GroupScopes. Im not sure if this line is not causing your problems.

Hey Kamil,

I believe we’re using LDAP as the target integration since we saw someone else doing it that way in another thread, so we could definitely try the AD Connector, by any chance do you have a link to the documentation for that? Thanks for your help!

Sure, here you should find all the details.

https://documentation.sailpoint.com/connectors/identityiq/active_directory/help/integrating_active_directory/intro.html

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.