Problem

User memberships are not visible on the Active Directory link after Full/Delta AD aggregation.

Diagnosis

The memberships are not visible because the ADAppVersion entry is absent from the “Active Directory” Application.xml file.

• With the ADAppVersion attribute: If groupMembershipSearchDn is not defined in the application, SailPoint will retrieve all group memberships associated with the account without filtering based on the user’s search scope (as defined by searchDN or searchDNs).
• Without the ADAppVersion attribute: The system will filter group memberships according to the account’s search scope if groupMembershipSearchDn is not specified, which can lead to missing memberships.

Solution

To resolve this issue, ensure that the following entry is present in the “Active Directory” Application.xml file. In previous versions, this value was not mandatory, and during upgrades, it may have been omitted from the Application.xml file.

If it’s missing, add:

<entry key="ADAppVersion" value="V2"/>

Hi @tsandeepsW,

it’s not exactly correct. The entry key ADAppVersion is present into AD connector from version 8 of Sailpoint for distinguish the AD connetor template from previus version.

If it is not present, means you are using a version of connetor created on version 7 or 6 of SP.
Introducing this can resolve some problem, but if you see the template of AD and you xml, can find some difference.

If upgrade to 7->8, for me is better to recreate the AD application to avoid any future problems.

Yes, it’s a mandatory attribute in the AD application XML.
In our case, we noticed the membership disappeared after upgrade. That’s when we realized it wasn’t added by default to the AD application XML.
If anyone else faces this issue, they can use these steps to resolve it.