Issue with Active Directory After Creation Rule – After Script Exit Code 1

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hello Everyone,

I am currently working on an Active Directory After Creation Rule and facing the following issue:

sailpoint.connector.ConnectorException: Errors returned from IQService. Account creation rolled back due to partial success. Create operation is successful, but post-script execution failed. After-script returned non-zero exit code: 1

The rule I developed is designed to:

  • Check the user’s availability in two different Active Directory servers, and

  • Establish a session to Microsoft Exchange to execute a mailbox creation PowerShell script targeting to the server where the user is found.

The PowerShell script works perfectly when executed independently in the PowerShell console. However, once it is attached to the After Creation Rule and deployed in the tenant, it throws the above error.

I also tested the rule by removing the user availability check logic and keeping only the Exchange session creation and mailbox creation part. In this scenario, the rule works as expected without any errors.

Note: I do not see any execution logs in the IQService server log files.

Has anyone experienced a similar issue before, or could someone help me identify what might be causing this error and how to resolve it?

Attached both the rule for reference.

AD After Create rule - With User check in server.txt (3.1 KB)

AD After Create rule - Without User check in server.txt (1.9 KB)

Thanks in advance for your support.

2

When you tested it, were you logged into the server where IQService is hosted? Did you run it as the same service account running IQService? Did you verify RSAT is installed on the server?

3

in this code block, did you have try block in the code deployed? :

$POI = “OU=Board of Directors”
if ($nativeIdentity -match $POI)
{
LogToFile(“Setting Primary Group ID for BOD user”)
Add-ADGroupMember -Identity “EMM_BOD” -Members $nativeIdentity
Set-ADUser -Identity $nativeIdentity -Replace @{ primaryGroupID = <> }
}

LogToFile("Script completed successfully.")

}
catch {
LogToFile(“ERROR: $($_.Exception.Message)”)
}
finally {
LogToFile(“Finally block executed.”)
if ($session) {
Remove-PSSession $session
}
}
4

Yes, I logged in to the server during testing, and it is the same service account.

5

No, I do not have, as this section worked previously.

6

I wonder how it ever worked.

if you can try replacing

$POI = “OU=Board of Directors”
if ($nativeIdentity -match $POI)
{
LogToFile(“Setting Primary Group ID for BOD user”)
Add-ADGroupMember -Identity “EMM_BOD” -Members $nativeIdentity
Set-ADUser -Identity $nativeIdentity -Replace @{ primaryGroupID = <> }
}

LogToFile("Script completed successfully.")

}

with

$POI = “OU=Board of Directors”
try{if ($nativeIdentity -match $POI)
{
LogToFile(“Setting Primary Group ID for BOD user”)
Add-ADGroupMember -Identity “EMM_BOD” -Members $nativeIdentity
Set-ADUser -Identity $nativeIdentity -Replace @{ primaryGroupID = <> }
}

LogToFile("Script completed successfully.")

}

}
7

I added a try block and tested the script again, but the same error persisted. I also reviewed the VA CCG logs and observed that the code is throwing an LDAP error 32, which indicates that the Get Object operation is failing because the object is not found.

To address this, I added Start-Sleep -Seconds 10 to pause the script and allow time for the user to be created in Active Directory; however, the issue still occurs.

8

can you post what do you see n the account activity for this.

Also, if you think after create rule is concern, add more loggers at each step and see where is it failing

9

Hi @lampard08 and @vkashat

Thank you for your responses. This is solved by some one from my team as the issue was with the logfile naming convention.