Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

can't update AD account

saoual
New Contributor
New Contributor

Hello,
I have run a create update account task on the AD connector, however when the provisioning job executes I get this error:

Error while update account in AD : { "status": "Failure", "failedObjects": [ { "id": "CN=upgrade\\", "status": "Failure", "message": "Failed to update attributes. | Please check the data sent to telephonenumber,extensionAttribute6,mobile.", "messageCodes": "OBJ_ERR_00022 | OBJ_INFO_MSG_00005", "errorDetails": "OBJ_ERR_00022 : -2147024891 : Access is denied." } ], "connectionString": "LDAP://domain.net" }

I checked the attributes indexed in the error:
- user does not have telephonenumber 

saoual_1-1709742914071.png

- the user doesn't have a mobile

saoual_0-1709742869434.png


- the value entered for the extensionattribute6 is correct


Can anyone help me please?

Regards

20 REPLIES 20

AmitM
Valued Contributor
Valued Contributor

Hi @saoual , try adding null check 

"telephoneNumber": "${if(user?.phonenumber!=null){user?.phonenumber}else{''}}",
"mobile": "${if(user?.customproperty5!=null){user?.customproperty5}else{''}}",

Thanks,

Amit

If this answers your query, Please ACCEPT SOLUTION and give KUDOS.

saoual
New Contributor
New Contributor

Hi AmitM,


I've already done this and got the same error

AmitM
Valued Contributor
Valued Contributor

Good to know you did that already though it was not mentioned in your post 🙂

Can you try to update same via powershell or manually using the Same service account as Saviynt connector?

If you get the same error , you might need to ask AD team to elevate permissions. 

Thanks,

Amit

Kramerica
New Contributor II
New Contributor II

@AmitM  were you able to resolve the issue?

Please share json


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Kramerica
New Contributor II
New Contributor II

{
"objects": [
{
"objectClasses": [
"user",
"top",
"Person",
"OrganizationalPerson"
],
"attributes": {
"postalCode": "${if(user?.customproperty15!=null && user?.customproperty15!=''){user?.customproperty15}else{''}}",
"st": "${if(user?.state!=null && user?.state!=''){user?.state}else{''}}",
"l": "${if(user?.city!=null && user?.city!=''){user?.city}else{''}}",
"streetAddress": "${if(user?.street!=null && user?.street!=''){user?.street}else{''}}",
"company": "${if(user?.customproperty4!=null && user?.customproperty4!=''){user?.customproperty4}else{''}}",
"manager": "${managerAccount==null?'':managerAccount.accountID.replace('\\,', '\\\\,')}",
"sn": "${if(user?.lastname!=null && user?.lastname!=''){user?.lastname}else{''}}",
"givenName": "${if(user?.preferedFirstName!=null && user?.preferedFirstName!=''){user?.preferedFirstName}else{user?.firstname}}",
"displayName": "${cn}",
"cn": "${cn?.replace(',', '\\\\,')?.replace('/','\\/')}",
"sAMAccountName": "${user?.username}",
"userPrincipalName": "${user?.username + '@' + 'addev.client.com'}",
"middleName": "${if(user?.middlename!=null && user?.middlename!=''){user?.middlename.charAt(0)}else{''}}",
"initials": "${if(user?.middlename!=null && user?.middlename!=''){user?.middlename.charAt(0)}else{''}}",
"telephoneNumber": "${if(user?.phonenumber!=null && user?.phonenumber!=''){user?.phonenumber}else{''}}",
"physicalDeliveryOfficeName": "${if(user?.locationdesc!=null && user?.locationdesc!=''){user?.locationdesc}else{''}}",
"department": "${if(user?.departmentname!=null && user?.departmentname!=''){user?.departmentname}else{''}}",
"title": "${if(user?.title!=null && user?.title!=''){user?.title}else{''}}",
"co": "${if(user?.country!=null && user?.country!=''){user?.country}else{''}}",
"employeeID": "${user?.username}",
"msExchExtensionAttribute17": "${if(user?.customproperty6!=null && user?.customproperty6!=''){user?.customproperty6}else{''}}",
"msExchExtensionAttribute16": "${if(user?.customproperty7!=null && user?.customproperty7!=''){user?.customproperty7}else{''}}",
"msExchExtensionAttribute18": "${if(user?.customproperty8!=null && user?.customproperty8!=''){user?.customproperty8}else{''}}",
"businessCategory": "${if(user?.customproperty1!=null && user?.customproperty1!=''){if(user.customproperty1.equalsIgnoreCase('ITAR')){'True'}else{'False'}}else{''}}",
"extensionattribute7": "${if(user?.customproperty2!=null && user?.customproperty2!=''){user?.customproperty2}else{''}}",
"extensionattribute9": "${if(user?.customproperty14!=null && user?.customproperty14!=''){user?.customproperty14}else{''}}",
"extensionattribute11": "${if(user?.departmentname!=null && user?.departmentname!=''){user?.departmentname}else{''}}",
"extensionattribute8": "${if(user?.customproperty13!=null && user?.customproperty13!=''){user?.customproperty13}else{''}}",
"userAccountControl": "512",
"pwdLastSet": "0"
},
"baseDn": "OU=Provisioned Users,DC=addev,DC=client,DC=com",
"password": "${password}"
}
]
}

Kramerica
New Contributor II
New Contributor II

I can easily reproduce the issue via Postman also so I doubt it's JSON issue. Here are ADSI logs

2024-04-11 10:44:42.0368 [10] DEBUG ADSIConnector.Common.ADOperations.CreateUpdateOperations update cn key and Value is [vf2\, ds]
2024-04-11 10:44:42.0368 [10] DEBUG ADSIConnector.Common.ADOperations.CreateUpdateOperations update sAMAccountName key and Value is [A0785629]
2024-04-11 10:44:42.0368 [10] DEBUG ADSIConnector.Common.ADOperations.CreateUpdateOperations update extensionattribute7 key and Value is [Americas]
2024-04-11 10:44:42.0368 [10] DEBUG ADSIConnector.Common.ADOperations.CreateUpdateOperations update extensionattribute9 key and Value is [8534]
2024-04-11 10:44:42.0368 [10] DEBUG ADSIConnector.Common.ADOperations.CreateUpdateOperations update extensionattribute11 key and Value is [IT]
2024-04-11 10:44:42.0368 [10] DEBUG ADSIConnector.Common.ADOperations.CreateUpdateOperations update extensionattribute8 key and Value is [00123]
2024-04-11 10:44:42.0368 [10] DEBUG ADSIConnector.Common.ADOperations.CreateUpdateOperations update userAccountControl key and Value is [512]
2024-04-11 10:44:42.0368 [10] DEBUG ADSIConnector.Common.ADOperations.CreateUpdateOperations update pwdLastSet key and Value is [0]
2024-04-11 10:44:42.0368 [10] DEBUG ADSIConnector.Common.ADOperations.CreateUpdateOperations update baseDn key and Value is [OU=Provisioned Users,DC=addev,DC=etn,DC=com]
2024-04-11 10:44:42.0368 [10] DEBUG ADSIConnector.Common.ADOperations.CreateUpdateOperations Additional object classes updated for - vf2, ds
2024-04-11 10:44:42.0368 [10] ERROR ADSIConnector.Common.Helpers.ResponseHelper Please check the data sent to extensionattribute7,extensionattribute9,extensionattribute11,extensionattribute8.

Do you mean not working from postman also


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Correct, not working from postman also where I can directly pass the data as string and non-null values. I see the logs that I shared.

It should work from postman


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

But it’s not.

Work with app team to fix postman issue first


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

I can populate these attributes via powershell or ldap browser using the same service account so what should I tell App team?

Kramerica
New Contributor II
New Contributor II

@rushikeshvartak 

I have attached the response.txt here for Postman call to create a user and you ll see following in Postman response - "message": "Please check the data sent to extensionattribute7,extensionattribute9,extensionattribute11,extensionattribute8.",
"messageCodes": "OBJ_INFO_MSG_00005". We see similar message on ADSI logs -  2024-04-11 10:44:42.0368 [10] ERROR ADSIConnector.Common.Helpers.ResponseHelper Please check the data sent to extensionattribute7,extensionattribute9,extensionattribute11,extensionattribute8.

This I went to PowerShell with the same Admin user on same ADSI box and update extensionattribute7,extensionattribute9,extensionattribute11,extensionattribute8 for the same user, for which Powershell logs are attached and I am able to do that. So if I go to AD team, not sure what to ask them.

Reduce number of attributes and find which attribute is causing issue


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Kramerica
New Contributor II
New Contributor II

I have tried that technique, and all extensionattribute are causing that.

Then attribute name must be wrong


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Kramerica
New Contributor II
New Contributor II

That’s the very first thing that I validated.

Use a as capital

extensionAttribute9


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Kramerica
New Contributor II
New Contributor II

Already tried.