Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Creating another account for AD based application

Ekata
New Contributor III
New Contributor III

Hi Team,

We have a requirement to create another AD based account which will be provisioned to only a group of people in the organization.

For example the department=TSG support.

And the OU should be marked as CN=lastname.firstname- Administrator,OU=Elevated Accounts,OU=Global,DC=BAIN,DC=com

The account name should be ADM.username, so ADM should be the initial which needs to be used at the time of account creation.

I have created the connection,SS,EP separately but the account is not creating with ADM. It is just using the username and gets created same as the actual AD account.

Can you guide me on this.

Account name rule at EP is as below:

Ekata_0-1677059575132.png

 

Regards,

Ekata

7 REPLIES 7

sk
All-Star
All-Star

Can you share your CREATEACCOUNTJSON? I assume there you might be mapping username for samaccountname instead of pulling it from task?.accountName


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Ekata
New Contributor III
New Contributor III

Hi,

Below is the json used:

{ "samaccountname": "${user?.username}",
"displayName": "${user?.lastname}, ${null != user?.preferedFirstName ? user?.preferedFirstName : user?.firstname}${null != user?.customer && user?.customer?.id==4 ? ' (BAN)': ''}",
"givenName": "${null != user?.preferedFirstName ? user?.preferedFirstName : user?.firstname}",
"sn": "${user?.lastname}",
"objectclass": [ "top",
"person", "organizationalPerson",
"user" ],
"name": "${user?.lastname}, ${null != user?.preferedFirstName ? user?.preferedFirstName : user?.firstname} (${user?.username})",
"company": "${null != user?.customer && user?.customer.id==4 ? '': 'Bain & Company, Inc.'}",
"employeeid": "${user?.username}",
"adminDescription": "E3EMS;E3OFFICE;",
"UNICODEPWD": "${randomPassword}",
"pwdLastSet": "0",
"msNPAllowDialin": "${null != user?.customer && user.customer.id==4 ? 'FALSE':'TRUE'}",
"extensionattribute6": "${null != user?.customer && user.customer.id==4 ? user?.customproperty22+(user?.employeeclass.substring(user?.employeeclass.indexOf(" ")+1,user?.employeeclass.toString().length())):user?.customproperty22}",
"department": "${null != user?.customer && user.customer.id==4 ? 'Bain Advisory Network': user?.departmentname}",
"title": "${null != user?.customer && user?.customer?.id==4 ? 'Bain Advisory Network': user?.title}",
"description": "${null != user?.customer && user?.customer?.id==4 ? 'Bain Advisory Network': user?.comments}",
"userAccountControl": "512", "manager": "${if(user?.customer?.id==4 && null != managerAccount.accountID){managerAccount.accountID}}" ,
"seeAlso": "${user?.customer?.id==4 && (null != managerAccount && null != managerAccount.accountID)? managerAccount.accountID : ''}",
"accountExpires":"${if ((null != user?.customer && user.customer.id==4) && (user?.enddate != null || user?.enddate != '')) {10000*(user.enddate.getTime() + 11644473600000 +100799999)}else {0}}",
"l": "${user?.city}",
"streetAddress": "${user?.street}",
"st":"${user?.state}", "co":"${user?.country}",
"c":"${user?.customproperty18}",
"postalCode":"${user?.regioncode}"
}

Should I change the first line as task?.accountName?

Regards,

Ekata

Ekata
New Contributor III
New Contributor III

Hi,

I tried as per your suggestion task?.accountName for samaccountname instead of username but still the issue is same.

Just to understand how are you creating new ADM* accounts? 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Ekata
New Contributor III
New Contributor III

So, we have created different AD based connector with SS and EP as per the business requirement. 

with the above mentioned account name rule and createaccountjson we are trying to create new accounts having account name as ADM followed by username.

The pending task gets created with ADM but at the time of completion it shows only the username.

For example:

Ekata_0-1677163018892.pngEkata_1-1677163100430.png

Also after completion of task there is a provisioning comment added- Checking DN for CN=Dev Test\, kim test [9999291067],OU=Malden,OU=Americas,DC=BAIN,DC=com.FOund an inactive account -CN=Dev Test\, kim test [9999291067],OU=Malden,OU=Americas,DC=BAIN,DC=com and the attributes-[:] match so using that instead of creating a new one as the account is inactive.

In connection we are passing ACCOUNTNAMERULE as CN=${user.lastname}\\, ${null != user?.preferedFirstName ? user?.preferedFirstName : user?.firstname} [${user?.username}],${null != user?.customer && user?.customer?.id==4 ? 'OU=Contractors,OU=NonEmployees,' : ''}${user?.customproperty49} where CP49 value is OU=Malden,OU=Americas,DC=BAIN,DC=com.

Can you advise if this is the reason?

Thanks

Looks like you have same accountname rule in both AD connections. Looks like it is causing issue in creating new account if user already have regular account because distinguished name should be unique.

So change the accountnamerule for ADM connection to different, Example replace ${user?.username} with ${task?.accountName}


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Ekata
New Contributor III
New Contributor III

Thanks a lot. It worked as expected.