Over the course of the last several months my systems team has noted that our SailPoint service account for active directory that is used for our active directory connector has started creating, changing the password for, and then deleting numerous objects daily. The objects have a format of $xxD700-xxxxxxxxxxx (sometimes there is a 12th character at the end).
Has anyone seen this behavior or know what the reason for these objects is?
hey Nathaniel , yes i have.
The thing is ISC will always try toc reate accounts to fullfill the role assigment. Probalui what is happening is that there is a mistake on the create profile or hes trying to recreate existing acconts which lead to this errors.
Actully before anything, check if the option “Rolback partly created accounts” is check in the source config.
Another thing is check is the Role assigment is not giving entitlements for the users.
I have seen this happening when there was a temporary object created for the password attribute in the Create Profile.
But what I have seen from the logs is that the temporary object start with $ gets created for the temp password object and gets removed once replace by the actual object
This fits the scenario we are in. We had to remove the create profile on our Active Directory connector for a period of time while we conduct merger activity. Checking “Rollback partly created accounts” has stopped the accounts from being created.