I’m encountering an issue while trying to disable an account in Active Directory And getting below error:
Failed to update attribute memberOf Error occurred while setting group membership CN=Domain Users,CN=Users,DC=Company,DC=com. The server is unwilling to process the request. The server is unwilling to process the request. 0000055E: SvcErr: DSID-031A126C, problem 5003 (WILL_NOT_PERFORM), data 0 0000055E: SvcErr: DSID-031A126C, problem 5003 (WILL_NOT_PERFORM), data 0 . HRESULT:[0x80072035]
CN=Domain Users,CN=Users,DC=Company,DC=com - This is a default primar user group in AD and looks like IDN is trying to remove the group membership for the user as part of account disable. If you are using a before provisioning rule to modify the plan as part of user disable, you may want to exclude the domain user group removal.
Hi @saikumarS
I have faced this issue in 2 scenarios:
As @jesvin90 said in Rule , exclude default group from removing.
In one scenarios I had no birthright groups but to trigger provisioning I have used Domain users as birthright , during termination ISC tried to remove the role and I faced this issue. After that I discussed with proper team and replaced domain users to a dummy group to trigger provisioning