Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 12:56 PM
Hi - We have a use case in AD to disable accounts, move them to a specific OU and strip all existing groups. This was achieved using the following block in the AD connection.
{
"moveUsertoOU": "OU=DeletedUsers,DC=saviyntadmin,DC=com",
"deleteAllGroups": "Yes",
"userAccountControl": "514",
"password": "${randomPassword}"
}
But it was recently requested to retain 1 group (default for all users) and delete all other groups during the Disable operation. Unable to find a solution in the AD connector document, any suggestions?
Regards,
Leslie
Solved! Go to Solution.
04/12/2022 01:58 PM
Hi Leslie,
Greetings!!
we do not have any such feature to maitain group exclusion list while remove/disable accounts operation.
You could raise this as an improvement request for directory connectors.
Thanks & Regards,
Anand Kumar Jha
04/12/2022 01:58 PM
Hi Anand,
Thanks for your time, will raise an improvement request as suggested.
In the meantime, I was exploring my options to see if primaryGroupID can be used as a workaround. You might already know the default primaryGroupID=513 (Domain Users) is set for all users. If I were to manipulate the value of primaryGroupID with the desired group I wish to retain during Disable/Remove operations I might be able to achieve my use case. However, I am getting the following errors when i added primaryGroupID in the CreateAccountJSON.
When I use: "primaryGroupID":"16286" or "primaryGroupID":'16286' or "primaryGroupID":"${user.customproperty21}"
Error while creating account in AD - [LDAP: error code 53 - 00000529: SvcErr: DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0
When I use: "primaryGroupID":16286 (without single, double quotes or CP
ERROR ldap.SaviyntGroovyLdapService - Error while creating account in AD - Malformed 'primaryGroupID' attribute value
Any suggestions?
Regards,
Leslie
04/12/2022 01:58 PM
Hi Leslie,
Greetings!!
The workaround with primaryGroupID, might not be a helpful case, although you could try.
Talking about errors,
##############################################################################
When I use: "primaryGroupID":"16286" or "primaryGroupID":'16286' or "primaryGroupID":"${user.customproperty21}"
Error while creating account in AD - [LDAP: error code 53 - 00000529: SvcErr: DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0
The above error could be because of no SSL connection or lack of adequate privilege to connecting user/service account (which is performing this operation).
Second error is self explanatory and additionally, please check from ADDUC, if you are able to assign that primary group ID to a newly created user or available user. that will clear the assumptions.
Thanks & Regards,
Anand Kumar Jha