Problem
When we are aggregating the accounts from AD, nearly 10 to 15 AD accounts were not getting aggregated from AD even though they were present in it.
Diagnosis
1. We validated whether account was present in Uncorrelated CSV file but that was not the case.
2. Then, we made some changes to the description attribute of AD and tried to re-aggregate the AD, still the same result
3. Through SailPoint, we extracted the AD connector loggers and there was an exception thrown by the AD connector saying.
Error Details
Incorrect string value: â\xF0\x9F\x90\xB3$4âŚâ for column âattributesâ at row 1
4. The above error was due to an incorrect character in one the fields that we were aggregating from AD. This incorrect string was of a âWhaleâ Emogi.
5. Hence, we extracted all userâs AD attributes using PowerShell command of :: Get-ADUser.
6. In the result extract, we checked against each attribute that we were aggregating.
7. Finally, we found the issue in registerAddress attribute. This attribute was storing the MFA data from one of the applications of the customer in AD.
Solution
1. We checked whether âregisterAddressâ AD account attribute was used in any identity attribute in any of the identity profiles in scope.
2. We validated whether this attribute was used for provisioning in any other target system.
3. As we were not using this attribute in any of the identity profiles or downstream systems, hence, we removed the account attribute of âregisterAddressâ from Account Schema of AD.
4. Performed the aggregation again from AD and now, the data was getting aggregated for missing accounts.
Good practice
1. Its always recommended to only aggregate the accounts attribute from AD which are required for your identity setup, the rest should be removed from account schema setup of AD.