Unable to trigger the Power shell script using Custom connector Rule (AfterCreate Rule)

Hi Everyone,

We have use case to set AD password & share the password in email to manager. We are using custom connector rule to trigger the PowerShell script in IQ service, but we are unable to trigger it with the help after create rule & not able to see any information on that event In CCG logs to troubleshoot. Is there any other place we can see the logs related to the Custom connector rule please suggest. Let us know if there are prerequisites and any precaution need to be taken when using this approach.

FYI: The script is working fine when we execute it directly on windows box(powershell.exe)

Thanks
Jay

Hi @Chaitanya_Jaya , you could route the logs of after create script to a log file within IQservice directory ( the place where IQservice has been installed)

Sample snippet:

$logFile = "D:\\SP\\IQService\\afterRule_$logDate.log"

function Logger([String] $info) {
    $info | Out-File $logFile -Append
}

Thanks @prashanthrns Actually we have already added the part of code in After create rule script but there were no log file getting generated in the path.

Could you ensure if the below default argument values has been set in the rule:

 <Map>
    <entry key="ObjectOrientedScript" value="true" />
    <entry key="disabled" value="false" />
    <entry key="extension" value=".ps1" />
    <entry key="program" value="powershell.exe" />
    <entry key="timeout" value="300" />
</Map>

Also, ensure on the following steps:

• Update the path to Utils.dll (can be an unqualified path like “Utils.dll” since script is copied to IQService folder for execution)
• Make sure Utils.dll is in the specified folder on each IQService host
• Be sure the account that runs IQService has appropriate permissions to create directories and set permissions on them
• Be sure to set the “run as” account for the IQService in Windows Service to the above-specified account instead of just the “logged on” user
• Set a proper location for the $logFile variable
• Grant permissions to the directory for the log files to be created

Hi Jaya,
Is the Powershell script running with the proper Admin permission’s ? If you open the IQService Services → Log on → Make sure you have your admin user having admin right able to execute.

If this is urgent, you can implement a temporary workaround by adding your script to Task Scheduler and configuring it to run on an hourly basis.

Within the script, include the following PowerShell code snippet to detect any newly created accounts in Active Directory within the last hour:

# Define the time window (1 hour ago)
$timeWindow = (Get-Date).AddHours(-1)
 
 
# Get users created within the last 1 hour from Active Directory
Get-ADUser -Filter {whenCreated -ge $timeWindow} -Property whenCreated, UserPrincipalName, GivenName, Surname |
    ForEach-Object {
        # Add your custom logic here
    }

This will help you capture and act on new AD accounts as a stopgap until a permanent solution is in place.

For custom connector rules triggering PowerShell scripts via IQService, check the IQService logs located on the SailPoint server under the IQService log directory for detailed error info. Also review the Connector Configuration Gateway (CCG) logs, but IQService logs typically show script execution results. Ensure your rule is properly configured to invoke the IQService and that permissions allow script execution. Confirm that the IQService Windows service is running and has the correct execution context. Always handle passwords securely—avoid sending them in plain email and consider encryption or secure delivery methods.

Thanks everyone for your response. we have checked all the Suggested solution & figured out it was the issue with some IQ service Configuration.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.