Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD primary group ID need to add while creating AD account as Birthright

navneetv
Regular Contributor II
Regular Contributor II

‎04/24/2024 05:16 AM

Hi Team

We need to replace the primary group ID 513(domain users AD group) with a different group ID(AD group) when creating an AD account. A task has been generated, but it fails when I try to proceed.

navneetv_0-1713960622738.png

error screenshot with error message 

error message 
Error while ADD operation for account-alex.test to Group-1181 in AD - [LDAP: error code 21 - 00000057: LdapErr: DSID-0C091275, comment: Error in attribute conversion operation, data 0, v4563]

 

navneetv_1-1713960676767.png

 

please suggest, how we can change/replace the primary group ID while creating

 

0 Kudos
13 REPLIES 13

rushikeshvartak
All-Star
All-Star

‎04/24/2024 05:18 AM

Please share json


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

navneetv
Regular Contributor II
Regular Contributor II

‎04/24/2024 05:23 AM

@rushikeshvartak We did not include any configuration related to the primary group in the creation JSON. I believed that ad access would be granted through a technical rule, which I configured in one of the technical rules.

please let me know, if is there any additional configuration required for changing the primary group

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to navneetv

‎04/24/2024 05:24 AM

If some value needs to be updated then attribute needs to be updated in JSON 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

navneetv
Regular Contributor II
Regular Contributor II

‎04/24/2024 05:31 AM

hi @rushikeshvartak We are not updating any attribute in AD. We want to make another group the primary group, instead of the default Domain Users group. By default, the Domain Users group is set as the primary group when creating an AD account.

navneetv_0-1713961849246.png

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to navneetv

‎04/24/2024 05:49 AM

You need to push using create json

attribute name as primaryGroupID


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

navneetv
Regular Contributor II
Regular Contributor II

‎04/24/2024 07:19 AM

 @rushikeshvartak  I tried and it gave me the error. I added the below in the creation JSON and it failed with both 

" PrimaryGroup ":"CN=Test-group-it,OU=Group,OU=IT,DC=Test,DC=xyz,DC=com"

and 
"primaryGroupID":"1181"

2024-04-24T19:33:13+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-2-tf8zf-ERROR-Error Updating the Account from AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C091275, comment: Error in attribute conversion operation, data 0, v4563]

do we have any way to change the primary group, whether it can be "add access", "update account" or "new account".?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to navneetv

‎04/24/2024 08:48 PM

Share json


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

navneetv
Regular Contributor II
Regular Contributor II

‎04/24/2024 11:43 PM - last edited on ‎04/25/2024 02:28 AM by Community Manager

@rushikeshvartak  here is creationjson

{
"cn": "${cn}",
"co": "${user.country}",
"company": "${user.companyname}",
"department": "${user.departmentname}",
"departmentNumber": "${user.departmentNumber}",
"userPrincipalName": "${user.email.toString().substring(0,user.email.indexOf('@'))+'@domain.com'}",
"displayName": "${user.displayname}",
"employeeID": "${user.username}",
"employeeNumber": "${user.customproperty29}",
"employeeType": "${user.employeeType}",
"givenName": "${user.preferedFirstName}",
"l": "${user.city}",
"c": "${user.customproperty32}",
"mail": "${user.email}",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"title": "${user.title}",
"physicalDeliveryOfficeName": "${user.location}",
"postalCode": "${user.regioncode}",
"sAMAccountName": "${user.email.toString().substring(0,user.email.indexOf('@'))}",
"sn": "${user.customproperty2}",
"st": "${user.location}",
"info": "Created by Saviynt Tool( IAM Team)",
"manager": "${manager?.customproperty51}",
"otherLoginWorkstations": "${user.customproperty65}",
"msDS-cloudExtensionAttribute2": "${user.customproperty6}",
"msDS-cloudExtensionAttribute3": "${user.job_function}",
"primaryGroupID": "1181",
"userAccountControl": "512"
}

[This message has been edited by moderator to mask email address]

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to navneetv

‎04/25/2024 09:28 PM

You cannot revoke the access of a primary member from primaryGroupID but replace it performing the following steps:

  1. Assign the new primary group to an account.

  2. Update primaryGroupID for that account.

  3. Remove the old primary group from the account.

The primarygroupid attribute is indeed crucial for specifying the primary group of a user in Active Directory. However, in your JSON template, you have hardcoded its value as "1181", which might not be the correct primary group ID for all users.

In Active Directory, the primarygroupid corresponds to the RID (Relative Identifier) of the primary group. Typically, users are placed in the "Domain Users" group by default, which has a RID of 513.

You can calculate the primarygroupid based on the RID of the desired primary group. For the "Domain Users" group, you would use 513. If you have a different primary group, you'll need to find its RID and use that value.

 

 

https://docs.saviyntcloud.com/bundle/AD-v2021x/page/Content/Configuring-the-Integration-for-Importin...


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

navneetv
Regular Contributor II
Regular Contributor II

‎04/25/2024 09:44 PM - edited ‎04/25/2024 09:48 PM

hi @rushikeshvartak 

I got your point. I will try with this way as well as.

I have one question, is there a way to add a group that we want to make primary once the Saviynt profile is turned inactive?

i am able to generate the "Add access" for inactive profiles via the analytics report. However when I tried to proceed the "Add access" it got disconnected by itself with the below message 

 

navneetv_0-1714106820562.png

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to navneetv

‎04/25/2024 09:59 PM

User needs to be active


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

navneetv
Regular Contributor II
Regular Contributor II

‎04/25/2024 10:09 PM

@rushikeshvartak Sorry for asking so many nonsensical questions. Is there an option or feature in the global configuration that allows us to add access to an inactive profile?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to navneetv

‎04/25/2024 10:17 PM

I have checked didn't found any.

https://forums.saviynt.com/t5/identity-governance/create-account-for-inactive-users/m-p/71593#M45248


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos
Copyright © 2024 Khoros, LLC