Saviynt Forums

Community_User · ‎04/12/2022

Originally posted on June 3 2020 at 15:24 UTC

Hi - We have a use case in AD to disable accounts, move them to a specific OU and strip all existing groups. This was achieved using the following block in the AD connection.

{
"moveUsertoOU": "OU=DeletedUsers,DC=saviyntadmin,DC=com",
"deleteAllGroups": "Yes",
"userAccountControl": "514",
"password": "${randomPassword}"
}

But it was recently requested to retain 1 group (default for all users) and delete all other groups during the Disable operation. Unable to find a solution in the AD connector document, any suggestions?

Regards,

Leslie

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User · ‎04/12/2022

Originally posted on June 4 2020 at 05:32 UTC

Hi Leslie,

Greetings!!

we do not have any such feature to maitain group exclusion list while remove/disable accounts operation.

You could raise this as an improvement request for directory connectors.

Thanks & Regards,

Anand Kumar Jha

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User · ‎04/12/2022

Originally posted on June 4 2020 at 15:12 UTC

Hi Anand,

Thanks for your time, will raise an improvement request as suggested.

In the meantime, I was exploring my options to see if primaryGroupID can be used as a workaround. You might already know the default primaryGroupID=513 (Domain Users) is set for all users. If I were to manipulate the value of primaryGroupID with the desired group I wish to retain during Disable/Remove operations I might be able to achieve my use case. However, I am getting the following errors when i added primaryGroupID in the CreateAccountJSON.

When I use: "primaryGroupID":"16286" or "primaryGroupID":'16286' or "primaryGroupID":"${user.customproperty21}"

Error while creating account in AD - [LDAP: error code 53 - 00000529: SvcErr: DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0

When I use: "primaryGroupID":16286 (without single, double quotes or CP

ERROR ldap.SaviyntGroovyLdapService - Error while creating account in AD - Malformed 'primaryGroupID' attribute value

Any suggestions?

Regards,

Leslie

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User · ‎04/12/2022

Originally posted on June 5 2020 at 06:17 UTC

Hi Leslie,

Greetings!!

The workaround with primaryGroupID, might not be a helpful case, although you could try.

Talking about errors,

##############################################################################

When I use: "primaryGroupID":"16286" or "primaryGroupID":'16286' or "primaryGroupID":"${user.customproperty21}"

Error while creating account in AD - [LDAP: error code 53 - 00000529: SvcErr: DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0

The above error could be because of no SSL connection or lack of adequate privilege to connecting user/service account (which is performing this operation).

Second error is self explanatory and additionally, please check from ADDUC, if you are able to assign that primary group ID to a newly created user or available user. that will clear the assumptions.

Thanks & Regards,

Anand Kumar Jha

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Saviynt Forums

Conditionally delete AD groups for in a disabled operation