Saviynt Forums

ReshamDas · ‎08/14/2024

Hi,

We are configuring ADSI provisioning for EnableAccountJSON, DisableAccountJSON as per codes provided in Saviynt documentation here. However, we see that the 'Enable Account', 'Disable Account' tasks created from the User Update Rules configured, is failing on running the WSRETRY job with following error message: "Error enabling/disabling account in ADSI: { "status": "Failure", "failedObjects": [ { "id": "33058a70-72cd-4df0-ba49-9bc8fa8ae271", "status": "Failure", "message": "33058a70-72cd-4df0-ba49-9bc8fa8ae271 does not exist.", "messageCodes": "OBJ_ERR_MSG_00002" } ], "connectionString": "LDAP://AD_Hostname:Port" }".

But that particular Account ID is visible in the Account Details tab of the account in Saviynt UI:-

We have tested on multiple accounts and received same error on all cases. As per similar forum posts, we have tried the below options for the distinguishedName code:-

"distinguishedName": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '\\/')}"
"distinguishedName": "${accountsObj?.accountID.replace('\\', '\\\\')?.replace('/', '\\/')}"

But on both cases, we received the same error. Also, further error details were not found in the logs as well. PFA the Disable-Enable Account JSON Error Logs.csv file for logs captured during WSRETRY execution on one of the 'Disable Account' tasks that failed.

ENABLEACCOUNTJSON:

{
"objects": [{
"objectClasses": ["user"],
"distinguishedName": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '\\/')}",
"deleteAllGroups": false,
"attributes": {
"userAccountControl": "544"
}
}]
}

DISABLEACCOUNTJSON:

{
"objects": [{
"objectClasses": ["user"],
"distinguishedName":"${account.accountID?.replace('\\', '\\\\')?.replace('/', '\\/')}",
"deleteAllGroups": false,
"attributes": {
"userAccountControl": 514
}
}]
}

Please suggest.

rushikeshvartak · ‎08/14/2024

Test with Hardcoded Values: Temporarily hardcode a known good distinguishedName directly in your JSON to isolate whether the issue is with the dynamic replacement or the ADSI operations.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ReshamDas · ‎08/14/2024

@rushikeshvartak tried with the exact value mentioned in this forum post, hardcoded in the DISABLEACCOUNTJSON, and got same error response.

rushikeshvartak · ‎08/14/2024

Does service account have required permissions ?
Validate below
{
"objects": [{
"objectClasses": ["user"],
"distinguishedName": "${account.accountID}",
"attributes": {
"userAccountControl": "544"
}
}]
}

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ReshamDas · ‎08/14/2024

@rushikeshvartak still same error with this code snippet applied on the ENABLEACCOUNTJSON.

The service account has domain administrator privileges, as recommeded in the Saviynt documentation.

rushikeshvartak · ‎08/14/2024

Can you share logs in text file

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ReshamDas · ‎08/14/2024

Here are the logs in txt file

ReshamDas · ‎08/14/2024

This issue has been resolved now. We were mapping the distinguishedName attribute to accountID, as given in the sample JSON on Saviynt documentation, which was wrong. In our business case, we are mapping the distinguishedName attribute in AD ldap for ADSI accounts to the CustomProperty25 field in the USER_ATRRIBUTE json.

This is why, the distinguishedName was not being resolved during the execution of the ENABLEACCOUNTJSON, DISABLEACCOUNTJSON.

After updating the JSONs to point distinguishedName against ${account.customproperty25?.replace('\\', '\\\\')?.replace('/', '\\/')}, the tasks got successfully completed and provisioned in AD.

Saviynt Forums

ADSI Enable Account, Disable Account Tasks Fail with DistinguishedName ID Does Not Exists Error