Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

AD account not getting Disabled

KP18
New Contributor
New Contributor

Hi,

We have a requirement that we need to remove all groups and add a new group while disabling the account at AD.

we are using below disable account JSON to achieve the above use case.

{
"objects": [
{
"objectClasses": [
"user"
],
"moveObjectToOU": "CN=Users,DC=saviyntlabs,DC=org",
"deleteAllGroups": "Yes",
"accountExpires": "${user.enddate!=null?(10000*(user.enddate.getTime()+3888000000+11644473600000)):(10000*(user.termDate.getTime()+3888000000+11644473600000))}",
"extensionAttribute2": "Term",
"msExchHideFromAddressLists": "TRUE",
"groupExclusionListOnRemoval": [
"CN=UniversalDistGroupIAMT,CN=Users,DC=saviyntadmin,DC=com"
],
"attributes": {
"userAccountControl": 514
}
}
]
}

 

The Disable account task is getting created and completed successfully at Saviynt and I can see the account status is also manually suspended but the entitlements removal and addition in Saviynt is not working as expected and also neither the account is not getting disabled nor moving to the specified OU at AD level.

Can someone help me here

Regards,

KP

 

5 REPLIES 5

NM
Esteemed Contributor
Esteemed Contributor

Hi @KP18 , are you trying to add the group from analytics? As disable account won't have anything related to entitlement.


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

KP18
New Contributor
New Contributor

Hi @NM ,

Actually, based on the enddate we are provisioning a group to the account before it gets disbaled and then we are triggering Disable account task by keeping the above mentioned JSON. As per the JSON, Saviynt has to remove all the other groups except the group mentioned inside "groupExclusionListOnRemoval". As of now Svaiynt is Disabling the account but it is not removing any of the group and aslo the account is not actually getting disabled at AD.

Regards,

KP

Could you kindly provide a detailed snapshot of the information extracted from the logs, encompassing errors and other pertinent functionality details encountered during the execution of this process? Your assistance in furnishing this information would greatly aid in the analysis and resolution of any issues .



‼️‼️⚠️Do not upload any attachments that contain sensitive information, such as IP Addresses, URLs, Company/Employee Names, Email Addresses, etc.⚠️‼️‼️


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Esteemed Contributor
Esteemed Contributor

Hi @KP18 can you remove uac from attribute and just pass it without that?


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

NM
Esteemed Contributor
Esteemed Contributor

Hi @KP18 , did it work?


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'