Issue with Before Provisioning Rule and ObjectNotFoundException during User Leaver Process

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Team,

We are facing issue when executing before provisioning rule and error is throwing as below during user leaver prcoess. We are modifying OU by setting AC_newParent attribute in rule

["sailpoint.connector.ObjectNotFoundException: [ ObjectNotFoundException ] \n [ Possible suggestions ] Ensure that account - CN\u003dTest,OU\u003dDeparted,OU\u003dUser Accounts,DC\u003dTest,DC\u003dTest,DC\u003dcom exists. \n [ Error details ] ObjectNotFound [LDAP: error code 32 - 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of:\n\t\u0027OU\u003dDeparted,OU\u003dUser Accounts,DC\u003Test,DC\u003dTest,DC\u003dcom\u0027\n]"]

Thanks
Kalyan

1 Like
2

@kalyannambi2010 looking at the error, it seems as if you’re trying to update an object in an OU where it does not exist.

You specified AC_newParent attribute being updated, which could be related to this, although in an ideal case it should be able to find the object (the AD Account) in the old OU first before the rule triggers updates to it.

Would it be possible for you to share how you set the new value for AC_newParent in your rule? I’d also recommend you view the trace logs on IQService for when this leaver scenario is triggered to better understand what the plan looks like, and where exactly the error originates.

1 Like
3

Hi @sushant1 we are using below AD before provisioning rule to perform leaver operation where we have AD move code and other attribute operations.

<?xml version='1.0' encoding='UTF-8'?> AD Before Provisioning Rule which removes all the group memberships except ACC_LegalHold from AD. <![CDATA[ import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.Date; import java.util.List; import java.util.Random; import sailpoint.object.Identity; import sailpoint.object.ProvisioningPlan.AccountRequest; import sailpoint.object.ProvisioningPlan.AttributeRequest; import sailpoint.object.ProvisioningPlan; import sailpoint.tools.Util; import java.util.TimeZone; import sailpoint.rule.Account; 
    log.error("Ad before provisioning Sample Testworld Inside Rule - BeforeProvisioning - ADBeforeProvisoning");
    Identity identity = plan.getIdentity();
    List accountRequests = plan.getAccountRequests();
    List memeberOfList = new ArrayList();
    String currentLCS =identity.getAttribute("cloudLifecycleState");  
    String disabledOU= "OU=Departed,DC=Sample,DC=Testworld";
    log.error("Ad before provisioning Sample Testworld currentLCS:: " + currentLCS);
    log.error("Ad before provisioning Sample Testworld plan Enter rule [" + plan + "]");    

    if (accountRequests != null) {
        log.error("Ad before provisioning Sample Testworld plan Enter if accountRequests");
        for (AccountRequest accountRequest : accountRequests) { 
            log.error("Ad before provisioning Sample Testworld accountRequest getoperation:: " + accountRequest.getOperation());
            if (Util.nullSafeCaseInsensitiveEq("terminated",currentLCS)) {
              log.error("Ad before provisioning Sample Testworld operation disable loop:: ");
              String nativeIdentity = accountRequest.getNativeIdentity();
              log.error("Ad before provisioning Sample Testworld ApplicationName" + application.getName());
              log.error("Ad before provisioning Sample Testworld nativeIdentity" + nativeIdentity);
              Object memberOfObject = idn.getRawAccountAttribute(application.getName(), nativeIdentity, "memberOf");
                log.error("Ad before provisioning Sample Testworld memberOfObject" + memberOfObject);
               if (memberOfObject != null) {
                  if (memberOfObject instanceof String) {
                      String strGroup = (String) memberOfObject;
                      memeberOfList.add(strGroup);
                  } 
                  else if (memberOfObject instanceof List) {
                       memeberOfList = (List) memberOfObject;
                  }
             }
             log.error("Ad before provisioning Sample Testworld memeberOfList" + memeberOfList);
            
                  
           for (Iterator iterator = memeberOfList.iterator(); iterator.hasNext();){
           
           String  memberOf= (String) iterator.next();
           
           if (memberOf.equals("CN=Domain Users,CN=Users,DC=Sample,DC=Testworld") || memberOf.equals("CN=ACC_LegalHold,OU=Groups,DC=Sample,DC=Testworld")) {
               iterator.remove();
             }
            }
              log.error("Ad before provisioning Sample Testworld memeberOfList after Removal:: " + memeberOfList);
                String charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()_+-={}[]:;<>?,./";
                int len = charset.length();
                Random rnd = new Random();
                StringBuilder newPassword = new StringBuilder();

                // Generate one capital letter
                char capitalLetter = charset.charAt(rnd.nextInt(26));
                newPassword.append(capitalLetter);

                // Generate one small letter
                char smallLetter = charset.charAt(26 + rnd.nextInt(26));
                newPassword.append(smallLetter);

                // Generate one symbol
                char symbol = charset.charAt(52 + rnd.nextInt(14));
                newPassword.append(symbol);

                // Generate one number
                char number = charset.charAt(66 + rnd.nextInt(10));
                newPassword.append(number);

                // Generate the remaining characters
                for (int count = 0; count < 8; count++) {
                    char randomChar = charset.charAt(rnd.nextInt(len));
                    newPassword.append(randomChar);
                }
                Date today = new Date();
                SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ssX");
                TimeZone timeZone = TimeZone.getTimeZone("UTC");
                        sdf.setTimeZone(timeZone);
                String formattedDate = sdf.format(today);
					
                    accountRequest.add(new AttributeRequest("title", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("department", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("manager", ProvisioningPlan.Operation.Set,""));
                    accountRequest.add(new AttributeRequest("company", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("description",ProvisioningPlan.Operation.Set, "Disabled on " +formattedDate+ " (" + timeZone.getID() + ")"));
                    accountRequest.add(new AttributeRequest("telephoneNumber", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("facsimileTelephoneNumber", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("homePhone", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("ipPhone", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("otherHomePhone", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("mobile", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("pager", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("msExchHideFromAddressLists", ProvisioningPlan.Operation.Set, true));
                    accountRequest.add(new AttributeRequest("password", ProvisioningPlan.Operation.Set, newPassword));
                    accountRequest.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Remove, memeberOfList));
               
                if(disabledOU!=null)
                    accountRequest.add(new AttributeRequest("AC_NewParent", ProvisioningPlan.Operation.Set,disabledOU));

               
                log.error("Ad before provisioning Sample Testworld plan accountRequest [" + plan + "]");
            }
            if(Util.nullSafeCaseInsensitiveEq("dormant",currentLCS))
            {

                String nativeIden = accountRequest.getNativeIdentity();
                if (nativeIden != null && nativeIden.replaceAll("\\s", "").toLowerCase().contains("-admin")) {
                    plan.remove(accountRequest);
                }
            }
			
        }
		 log.error("Ad before provisioning Sample Testworld plan end rule [" + plan + "]");
       
    }

    ]]>
</Source>

Thanks
Kal

1 Like
4

Can you confirm the user you’re getting this error for exists in the location where you’re moving from (the old OU)? A good way to deal with that is just aggregate all user accounts before you test again

1 Like
5

Hi @sushant1 the user exists in the location old OU before moving and we are running AD aggregations every 4 hours.

Thanks
Kalyan

1 Like
6

Hi,

Anyone has any thoughts on this issue?

Thanks
Kalyan

1 Like
7

Can you share event logs ? are u able to see “AC_newparent” as the Attribute name in the Modify Account event. If not then, your cloud rule is not deployed it.

If it is there then try to point to one domain controller and test it. Sometimes because of replication you might experience this issue

1 Like
8

Hi @nandambk currently I do not have logs and could you please provide more information on the below which you have mentioned?

“If it is there then try to point to one domain controller and test it. Sometimes because of replication you might experience this issue”

Thanks
Kalyan

1 Like
9

Search for the users from Identity List–> Events →

image
image2012Ă—672 60.7 KB

1 Like
10

Hi @nandambk thank you for your update and for the failure user I have checked in the events for “Disable Account Failed” operation “ATTRIBUTEVALUE” is populated as null and “ATTRIBUTENAME” filed is not displayed at all. What colud be the issue for this?

Thanks
Kalyan

1 Like
11

Hi @kalyannambi2010

Thank you for raising the request.

The ATTRIBUTEVALUE is populated as null and “ATTRIBUTENAME” is not displayed because it is a disable account operation whereas these fields i believe should be available for modify account operation.

I had a look at the code you have pasted above and i do not see you have any checks available in it to see what type of operation is being performed. For example, it could be possible that when this before provisioning rule triggers assuming it triggers on lifecycle state change, then it could be possible that both operations modify and disable are happening at the same time and one operation is successful but the next one is getting failed because the account has already moved but it is just an example, the main idea is to have some checks in place for checking the type of operation in place and that should only do the account move.

  if(op.equals(AccountRequest.Operation.Modify)){
  if (Util.nullSafeCaseInsensitiveEq("terminated",currentLCS)) {
--------------main logic here------------------
}
}

Please use the link below to see the best practices for handling the AD OU MOVE.

Also, can you please confirm the below

  1. does the account move actually happening in AD ? I see the error message contains the dn of the terminated ou so just want to make sure that the user has indeed moved in the AD. Also, the members of identity, do they get removed except for Domain Users and ACC_LegalHold ? if yes, then i believe modify action is doing the trick for you but the disable operation is also running concurrently which is failing due to some sync issue.

  2. You have mentioned above that the aggregation runs once in 4 hours , can you please confirm if it is full aggregation or delta aggregation.

I also feel that if the issue is occurring in your main tenant (prod) then it will be best to raise a request to SailPoint support as they will have the access to cloud logs and then they can see the progress of the before provisioning rule. We will also try our best but it will really challenging to find out the exact issue without having access to cloud logs.

I hope the information helps, please keep us posted so that we can assist you further.

Thank You.
Regards
Vikas/

2 Likes
12

Hi @vguleria thank you so much for your input.

Please refer to the below AD before provisioning rule which we are using for user leaver and dormant process.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule name="ADBeforeProvisoning" type="BeforeProvisioning">
  <Description>AD Before Provisioning Rule which removes all the group memberships except ACC_LegalHold from AD.</Description>
  <Source>
    <![CDATA[
       import java.text.SimpleDateFormat;
       import java.util.ArrayList;
       import java.util.Date;
       import java.util.List;
       import java.util.Random;
       import sailpoint.object.Identity;
       import sailpoint.object.ProvisioningPlan.AccountRequest;
       import sailpoint.object.ProvisioningPlan.AttributeRequest;
	   import sailpoint.object.ProvisioningPlan;
	   import sailpoint.tools.Util;
       import java.util.TimeZone; 
     
	 
        log.info("Inside Rule - BeforeProvisioning - ADBeforeProvisoning");
        Identity identity = plan.getIdentity();
        List accountRequests = plan.getAccountRequests();
		List memeberOfList = new ArrayList();
        String currentLCS =identity.getAttribute("cloudLifecycleState");  
        String disabledOU= "OU=Departed,OU=User Accounts,DC=Sample,DC=TestNet,DC=com";
        log.info("currentLCS:: "+currentLCS);
        
        if (accountRequests != null) {
            for (AccountRequest accountRequest : accountRequests) { 
                if (AccountRequest.Operation.Disable.equals(accountRequest.getOperation()) && "terminated".equals(currentLCS)) {
                    log.info("operation disable loop:: ");
                  String nativeIdentity = accountRequest.getNativeIdentity();
				  log.info("ApplicationName"+application.getName());
				  log.info("nativeIdentity"+nativeIdentity);
                  Object memberOfObject = idn.getRawAccountAttribute(application.getName(), nativeIdentity, "memberOf");
				  log.info("memberOfObject"+memberOfObject);
                  if (memberOfObject != null) {
                      if (memberOfObject instanceof String) {
                          String strGroup = (String) memberOfObject;
                          memeberOfList.add(strGroup);
                      } 
                      else if (memberOfObject instanceof List) {
                           memeberOfList = (List) memberOfObject;
                      }
                 }
				 log.info("memeberOfList"+memeberOfList);
				 
                for (Iterator iterator = memeberOfList.iterator(); iterator.hasNext();)
				{
			   String  memberOf= (String) iterator.next();
			   if (memberOf.equals("CN=Domain Users,CN=Users,DC=Sample,DC=TestNet,DC=com") ||
               memberOf.equals("CN=ACC_LegalHold-3Months,CN=Users,DC=Sample,DC=TestNet,DC=com") || memberOf.equals("CN=ACC_LegalHold,CN=Users,DC=Sample,DC=TestNet,DC=com")) {
				 iterator.remove();
                 }
		        }
                 log.info("memeberOfList after Removal:: " +memeberOfList);
                   String charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()_+-={}[]:;<>?,./";
                    int len = charset.length();
                    Random rnd = new Random();
                    StringBuilder newPassword = new StringBuilder();
 
                    // Generate one capital letter
                    char capitalLetter = charset.charAt(rnd.nextInt(26));
                    newPassword.append(capitalLetter);
 
                    // Generate one small letter
                    char smallLetter = charset.charAt(26 + rnd.nextInt(26));
                    newPassword.append(smallLetter);
 
                    // Generate one symbol
                    char symbol = charset.charAt(52 + rnd.nextInt(14));
                    newPassword.append(symbol);
 
                    // Generate one number
                    char number = charset.charAt(66 + rnd.nextInt(10));
                    newPassword.append(number);
 
                    // Generate the remaining characters
                    for (int count = 0; count < 8; count++) {
                        char randomChar = charset.charAt(rnd.nextInt(len));
                        newPassword.append(randomChar);
                    }
                    Date today = new Date();
                    SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ssX");
                    TimeZone timeZone = TimeZone.getTimeZone("UTC");
                    sdf.setTimeZone(timeZone);
                    String formattedDate = sdf.format(today);
					
                    accountRequest.add(new AttributeRequest("title", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("department", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("manager", ProvisioningPlan.Operation.Set,""));
                    accountRequest.add(new AttributeRequest("company", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("description",ProvisioningPlan.Operation.Set, "Disabled on " +formattedDate+ " (" + timeZone.getID() + ")"));
                    accountRequest.add(new AttributeRequest("telephoneNumber", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("facsimileTelephoneNumber", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("homePhone", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("ipPhone", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("otherHomePhone", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("mobile", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("pager", ProvisioningPlan.Operation.Set, ""));
                    accountRequest.add(new AttributeRequest("msExchHideFromAddressLists", ProvisioningPlan.Operation.Set, true));
                    accountRequest.add(new AttributeRequest("password", ProvisioningPlan.Operation.Set, newPassword));
                    accountRequest.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Remove, memeberOfList));
                   
                    if(disabledOU!=null)
                        accountRequest.add(new AttributeRequest("AC_NewParent", ProvisioningPlan.Operation.Set,disabledOU));

                }
				if(Util.nullSafeCaseInsensitiveEq("dormant",currentLCS))
                {

                    String nativeIden = accountRequest.getNativeIdentity();
                    if (nativeIden != null && nativeIden.replaceAll("\\s", "").toLowerCase().contains("-admin")) {
                        plan.remove(accountRequest);
                    }
                }
            }
           
        }


        ]]>
    </Source>
</Rule>
  1. The account movement is happening in AD and removing all the group membership except Domain Users and ACC_LegalHold while user getting terminated.
  2. It is delta aggregation for AD.

Thanks
Kalyan

1 Like
13

[Hi @vguleria thank you so much for your input.

Please refer to the below AD before provisioning rule which we are using for user leaver and dormant process.

<?xml version='1.0' encoding='UTF-8'?> AD Before Provisioning Rule which removes all the group memberships except ACC_LegalHold from AD. <![CDATA[ import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.Date; import java.util.List; import java.util.Random; import sailpoint.object.Identity; import sailpoint.object.ProvisioningPlan.AccountRequest; import sailpoint.object.ProvisioningPlan.AttributeRequest; import sailpoint.object.ProvisioningPlan; import sailpoint.tools.Util; import java.util.TimeZone;
    log.info("Inside Rule - BeforeProvisioning - ADBeforeProvisoning");
    Identity identity = plan.getIdentity();
    List accountRequests = plan.getAccountRequests();
	List memeberOfList = new ArrayList();
    String currentLCS =identity.getAttribute("cloudLifecycleState");  
    String disabledOU= "OU=Departed,OU=User Accounts,DC=Sample,DC=TestNet,DC=com";
    log.info("currentLCS:: "+currentLCS);
    
    if (accountRequests != null) {
        for (AccountRequest accountRequest : accountRequests) { 
            if (AccountRequest.Operation.Disable.equals(accountRequest.getOperation()) && "terminated".equals(currentLCS)) {
                log.info("operation disable loop:: ");
              String nativeIdentity = accountRequest.getNativeIdentity();
			  log.info("ApplicationName"+application.getName());
			  log.info("nativeIdentity"+nativeIdentity);
              Object memberOfObject = idn.getRawAccountAttribute(application.getName(), nativeIdentity, "memberOf");
			  log.info("memberOfObject"+memberOfObject);
              if (memberOfObject != null) {
                  if (memberOfObject instanceof String) {
                      String strGroup = (String) memberOfObject;
                      memeberOfList.add(strGroup);
                  } 
                  else if (memberOfObject instanceof List) {
                       memeberOfList = (List) memberOfObject;
                  }
             }
			 log.info("memeberOfList"+memeberOfList);
			 
            for (Iterator iterator = memeberOfList.iterator(); iterator.hasNext();)
			{
		   String  memberOf= (String) iterator.next();
		   if (memberOf.equals("CN=Domain Users,CN=Users,DC=Sample,DC=TestNet,DC=com") ||
           memberOf.equals("CN=ACC_LegalHold-3Months,CN=Users,DC=Sample,DC=TestNet,DC=com") || memberOf.equals("CN=ACC_LegalHold,CN=Users,DC=Sample,DC=TestNet,DC=com")) {
			 iterator.remove();
             }
	        }
             log.info("memeberOfList after Removal:: " +memeberOfList);
               String charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()_+-={}[]:;<>?,./";
                int len = charset.length();
                Random rnd = new Random();
                StringBuilder newPassword = new StringBuilder();

                // Generate one capital letter
                char capitalLetter = charset.charAt(rnd.nextInt(26));
                newPassword.append(capitalLetter);

                // Generate one small letter
                char smallLetter = charset.charAt(26 + rnd.nextInt(26));
                newPassword.append(smallLetter);

                // Generate one symbol
                char symbol = charset.charAt(52 + rnd.nextInt(14));
                newPassword.append(symbol);

                // Generate one number
                char number = charset.charAt(66 + rnd.nextInt(10));
                newPassword.append(number);

                // Generate the remaining characters
                for (int count = 0; count < 8; count++) {
                    char randomChar = charset.charAt(rnd.nextInt(len));
                    newPassword.append(randomChar);
                }
                Date today = new Date();
                SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ssX");
                TimeZone timeZone = TimeZone.getTimeZone("UTC");
                sdf.setTimeZone(timeZone);
                String formattedDate = sdf.format(today);
				
                accountRequest.add(new AttributeRequest("title", ProvisioningPlan.Operation.Set, ""));
                accountRequest.add(new AttributeRequest("department", ProvisioningPlan.Operation.Set, ""));
                accountRequest.add(new AttributeRequest("manager", ProvisioningPlan.Operation.Set,""));
                accountRequest.add(new AttributeRequest("company", ProvisioningPlan.Operation.Set, ""));
                accountRequest.add(new AttributeRequest("description",ProvisioningPlan.Operation.Set, "Disabled on " +formattedDate+ " (" + timeZone.getID() + ")"));
                accountRequest.add(new AttributeRequest("telephoneNumber", ProvisioningPlan.Operation.Set, ""));
                accountRequest.add(new AttributeRequest("facsimileTelephoneNumber", ProvisioningPlan.Operation.Set, ""));
                accountRequest.add(new AttributeRequest("homePhone", ProvisioningPlan.Operation.Set, ""));
                accountRequest.add(new AttributeRequest("ipPhone", ProvisioningPlan.Operation.Set, ""));
                accountRequest.add(new AttributeRequest("otherHomePhone", ProvisioningPlan.Operation.Set, ""));
                accountRequest.add(new AttributeRequest("mobile", ProvisioningPlan.Operation.Set, ""));
                accountRequest.add(new AttributeRequest("pager", ProvisioningPlan.Operation.Set, ""));
                accountRequest.add(new AttributeRequest("msExchHideFromAddressLists", ProvisioningPlan.Operation.Set, true));
                accountRequest.add(new AttributeRequest("password", ProvisioningPlan.Operation.Set, newPassword));
                accountRequest.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Remove, memeberOfList));
               
                if(disabledOU!=null)
                    accountRequest.add(new AttributeRequest("AC_NewParent", ProvisioningPlan.Operation.Set,disabledOU));

            }
			if(Util.nullSafeCaseInsensitiveEq("dormant",currentLCS))
            {

                String nativeIden = accountRequest.getNativeIdentity();
                if (nativeIden != null && nativeIden.replaceAll("\\s", "").toLowerCase().contains("-admin")) {
                    plan.remove(accountRequest);
                }
            }
        }
       
    }


    ]]>
</Source>
  1. The account movement is happening in AD and removing all the group membership except Domain Users and ACC_LegalHold while user getting terminated.
  2. It is optimised aggregation for AD source.

Thanks
Kalyan

1 Like
14

Hi @kalyannambi2010

Thank you for sharing the detailed information :slight_smile: .
Yes, i had already checked the before provisioning rule and mainly you are keeping only two entitlements also resetting the password which is normal scenario along with other attribute updates, i see in the new code you have the below check which seems fine now that means the operation will be performed only during disable action.

   if (AccountRequest.Operation.Disable.equals(accountRequest.getOperation()) && "terminated".equals(currentLCS)

Some additional questions from my end to understand further:

  1. Is the account move actually happened in Active directory ?
  2. Is above shared code already uploaded by expert services and do you still face the issue then ?
  3. Can you please check the before provisioning rule if it is also doing the similar operation when the operation is modify operation ?
  4. do you also see the similar error for modify account operation ?

Thank You.
Regards
Vikas.

Thank You.
Regards
Vikas.

2 Likes
15

Hi @vguleria thank you for your inputs and please find the below responses.

  1. Is the account move actually happened in Active directory ? Yes, it is happening
  2. Is above shared code already uploaded by expert services and do you still face the issue then ? Yes, deplpyed by SP Expert services team
  3. Can you please check the before provisioning rule if it is also doing the similar operation when the operation is modify operation ? We did not check this feature yet
  4. do you also see the similar error for modify account operation ? - We did not check this feature yet

Thanks
Kalyan

1 Like
16

Hi @kalyannambi2010,

Thank you for providing the details.
I think for modify account operation you can check it by going to identity and then checking their events and verify if the issue is only for disable operation or also for modify account operation.

Do you also know if there are multiple domain controller, i am wondering if it is the replication that is causing the error.

Thank You.
Regards
Vikas.

1 Like
17

Hi @vguleria How to handle multiple domain controller and what is replication that is causing the error which you have mentioned?

Thanks
Kalyan

1 Like
18

Hi @kalyannambi2010

I mean like you are making changes to specific server and it is not getting replicated in time, then there might be issues that in one dc the account is moved but if the operation to disable or modify is happening on another dc, then it may not be able to find the account. But that is dependent on the AD setup.

But can you please check and confirm if you see the same error on the modify account operation too ?

Thank You.
Regards
vikas.

1 Like
19

Hi @vguleria during modify account operation AD before provisioning rule is not removing any group membeships and not performing other activities mentioned in the rule and not getting any error/exception.

Thanks
Kalyan

1 Like
20

Hi @kalyannambi2010

I see that the operation which is being performed is object CN=Test,OU=Departed,OU=User Accounts,DC=Test,DC=Test,DC=com
and the error states that the object is not found, can you please make sure that there is no uppercase or lowercase issue in the DN.

Also, can you please share the information about the events that took place for the user during disable account operation, then we can verify which events took place.

Thank You.
Regards
Vikas

1 Like