Joiner AD account creation without security group

Hi Experts,

Is that possible to trigger a joiner event and create an AD account without assigning them any security groups?

Hi Bernard,
Thank you for the post. Identity now does not support creating account without any groups provisioned to it.

Rakesh Bhati

1 Like

Hi @BernardNetpoleon,

As Rakesh rightly pointed out, IDN needs an access to be granted as part of an account creation.

You can get an AD group created exclusively for SailPoint and assign that group as part of the user creation process.

You can also look at the possibility of assigning the domain user group as the default entitlement for all AD account creation, since that AD group would be common for all users.

1 Like

Hi Bernard,

As mentioned above by the fellow ambassadors, I too do not think that it is possible to create the user without requesting the access for them.

But i understood that your requirement is that you want to have a user created in AD without any group, for which you can try something like below

  1. you can create or use an existing identity Attribute and add a transform on it like below
	"name": "{{Your transform name}}",
	"type": "firstValid",
	"attributes": {
		"values": [
				"attributes": {
					"attributeName": "{{distinguishname}}", // we can use some other preferred attribute here like samAccountname
					"sourceName": "{{Your source name}}"
				"type": "accountAttribute"

This shall populate distinguishname on identityAttribute if the user has an Account with AD source otherwise it will return NO_ACCOUNT value for the attribute.

  1. setup a birthright role (with AD related accessprofile or entitlement mapped to it ) with access criteria like below

when custom-Attribute-Value is NO_ACCOUNT assign the birthright role.

  1. This will then trigger the account creation and once the role assignment is completed, it will trigger the identity refresh which should re-evaluate the attribute value for the user and populate the attribute value with distinguishName, and since now the attribute value is no longer NO_ACCOUNT, this will trigger the deprovisioning of the role and thus your account will be created in AD but without any group.

So the group will be there for the user only for like 2-3 minutes in AD depending upon the ISC performance.
And this will also give you the flexibility to check the users whose AD account creation might have failed for some reason. You can check those cases by checking the users who still have your birthright role assigned.

I hope this will help. Please let me know if this meets your requirement.


Hi Bernard,

If you don’t want to provision any specific group, you can try to provision Domain Users group. This is a built in group and it is not visible on users.