Issue with IDN Creating Duplicate Accounts in Active Directory

Title: Issue with IDN Creating Duplicate Accounts in Active Directory

I’m experiencing the following issue: IDN is creating multiple accounts in Active Directory, as shown in the attached image (Image1). When the collection runs, it fails to correlate the accounts and tries to create the same account again. However, when I perform an aggregation, the account gets created, but it shows up as “Uncorrelated” (see Image2).

image1

image2

Hi @clebercarvalhoRaise,

Have you tried running the unoptimized aggregation?
Also, did you make any changes to the correlation configuration after the initial source setup and account aggregations? if yes, you need to run the unoptimized aggregation.
Hope this helps!

Hi @clebercarvalhoRaise

Can you please check if any location movement happened for those users who are affected.
Because i have gone through the same issue in production and when troubleshooting we found that is its because of location movement.

If that is the same in your case
I recommend you check Before provisioning rule to add AC_NewParent attribute.
This is inline with our best practices as mentioned here Best Practices: Active Directory Account Moves - Compass

If not, Please check the user activity logs for the reason behind the re-provisioning.
Also, Check the source is aggregating properly.

Thank you!
Dharani.

2 Likes

@clebercarvalhoRaise .PLease check your create profile configuration and let us know what you are passing in distinguished name and samaccount name.Are you using a generator or how?.Also i would recommend to add some provisioning timeout and iqservice timeout for this

Hi Cleber - have you asked acmsousa what they were doing on Sep 6? I’m not sure IDN was creating multiple AD accounts. It created one on Aug 30, which was deleted by acmsousa on Sep 6. The next 2 re-create attempts failed as (assumption) they would have been in the same provisioning run as the delete. The account was successfully re-created on Sep 7. Correlation isn’t required for IDN created accounts (as they are linked on GUID), so, as for the account correlation fail, my guess is something happened in AD (such as restore, or move back from deleted OU) which over-wrote the new AD account, meaning that the AD account now has a different account GUID. On aggregation IDN tried to correlate it (as it doesn’t know the GUID), but it already has an account linked to the correlated Identity with the same Source and Account ID 24081576, so leaves it un-correlated.

@j_place is correct.
The event history shows that someone (acmsousa) and ‘deleted’ the account from the Identity cube.

This doesn’t delete the account in AD, it just removes the link on the Identity. IDN thus thinks the account no longer exists (until the next aggregation runs). If there is a role or access profile granting AD access that is still assigned to the Identity, or if access had previously been requested through Access Request UI, then IDN will attempt to re-provision the access, and since it cannot see the ‘deleted’ account. it will attempt to re-create it. You would need to check the specific errors, but my guess is that they failed because the DN was already in use.