Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

EnableAccount JSON is failing to enable account

jdoma
Regular Contributor
Regular Contributor

We have below JSON in EnableAccountJSON attribute for AD connector. The Enable account task is failing with below error.

SAV-Error while enabling account,No account found using disable rules

JSON:

{
"ATTRIBUTESTOCHECK":{"sAMAccountName":"${user.systemUserName}","uid":"${user.username}"},
"REMOVEGROUPS":"NO",
"USEDNFROMACCOUNT":"YES",
"MOVEDN": "YES",
"AFTERENABLEACTIONS":{"userAccountControl":"512"}
}

18 REPLIES 18

rushikeshvartak
All-Star
All-Star

Try movedn : no


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

jdoma
Regular Contributor
Regular Contributor

Hi Rushikesh,

Still getting the same error.

Does Account exists with specified sAMACoountName & Uid


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Manu269
All-Star
All-Star

Can you please validate few items :

ENABLEACCOUNTJSON Sample :

"DISABLEACCOUNTCHECKRULE": "[CN=${user.firstname}${user.lastname},cn=Users,dc=XX,dc=XX,dc=com,CN=${user.firstname}${user.middlename},cn=Users,dc=corpAD,dc=XX,dc=com]",
"ENABLEACCOUNTOU": "OU=CloudUsers,DC=XX,DC=com",
"ATTRIBUTESTOCHECK": "{userAccountControl:514,sn:${user.lastname},cn:${user.firstname}",
"REMOVEGROUPS": "YES",
"USEDNFROMACCOUNT": "YES",
"MOVEDN": "NO",
}

 

Note :

MOVEDN: Use this attribute to move the account to a different container. When set to Yes, the connector moves the account to a different container. This requires you to specify the name of the new container in the ENABLEACCOUNTOU attribute

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.

jdoma
Regular Contributor
Regular Contributor

Hi Rushekesh,

yes the account exists with the same sAMAccountName.

You need try permutations combinations with attribute with yes no 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

jdoma
Regular Contributor
Regular Contributor

I have tried all the combinations here and also tried with simple json as below but still throwing the same error 

{
"AFTERENABLEACTIONS": {"userAccountControl" : "512","msExchHideFromAddressLists":"FALSE"}
}

SAV-Error while enabling account,No account found using disable rules

@jdoma - from the error, it looks like you are missing the following parameter in the JSON - DISABLEACCOUNTCHECKRULE.

 

Thanks,
Amit

arjungadgul
New Contributor II
New Contributor II

Hi All,

Even we are facing similar error while enabling the account in AD.

In our case we are not even moving the account to different OU when it is disabled. 

Logs for quick reference : 

{"log":"2022-11-10 13:49:21,291 [quartzScheduler_Worker-1] ERROR ldap.SaviyntGroovyLdapService - No account found using disable rules \n","stream":"stdout","time":"2022-11-10T13:49:21.291682965Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,293 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - Inside updateProvisioningTries..\n","stream":"stdout","time":"2022-11-10T13:49:21.293757009Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,301 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - Entering provisionAccesstoAccountSaviynt\n","stream":"stdout","time":"2022-11-10T13:49:21.301137606Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,301 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - {tmanagement3=[]}\n","stream":"stdout","time":"2022-11-10T13:49:21.301160726Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,301 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - EnableAccount\n","stream":"stdout","time":"2022-11-10T13:49:21.301164834Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,301 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - accountID before merge = CN=Test Management3,OU=Ahm Users,OU=Ahmedabad br,DC=test,DC=com\n","stream":"stdout","time":"2022-11-10T13:49:21.301214753Z"}
2022-11-10, 07:19 pm
ecm-worker
{"log":"2022-11-10 13:49:21,303 [quartzScheduler_Worker-1] DEBUG services.ArsTaskService - accountID after merge = CN=Test Management3,OU=Ahm Users,OU=Ahmedabad br,DC=test,DC=com\n","stream":"stdout","time":"2022-11-10T13:49:21.303515776Z"}

Any leads would be helpful.

Regards,

Arjun Gadgul

@arjungadgul - What is your JSON like? Do you have DISABLEACCOUNTCHECKRULE in the disable account JSON? From the error logs it looks like the rule for DISABLEACCOUNTCHECKRULE parameter is not matching the DN which you have for the disabled account. 

 

 

Thanks,
Amit

jdoma
Regular Contributor
Regular Contributor

Im using the below json under EnableAccount. 

{
"DISABLEACCOUNTCHECKRULE": ["CN=${user.firstname} ${user.lastname},OU=Deleted Users,OU=TestHSP,DC=AU,DC=AD,DC=HSP"],
"ENABLEACCOUNTOU": "OU=Users,${if(user.siteid.toString().toLowerCase().contains('corp')){'OU=CORPNSW1006,OU=CORP,OU=TestHSP,DC=AU,DC=AD,DC=HSP'}
else if(user.siteid.toString().toLowerCase().contains('hosp')){'OU=HOSPACT1018,OU=HOSP,OU=TestHSP,DC=AU,DC=AD,DC=HSP'}
else if(user.siteid.toString().toLowerCase().contains('acha')){'OU=ACHA,OU=TestHSP,DC=AU,DC=AD,DC=HSP'}
}",
"ATTRIBUTESTOCHECK":{"userAccountControl":"514","healthscopeUID":"${user.username}"},
"REMOVEGROUPS":"NO",
"USEDNFROMACCOUNT":"YES",
"MOVEDN": "YES",
"AFTERENABLEACTIONS":{"userAccountControl":"512","msExchHideFromAddressLists":"FALSE"}
}

Getting below error: Checking DN for CN=D-SAMEER KUMARA908,OU=Deleted Users,OU=TestHSP,DC=AU,DC=AD,DC=HSP. Error while searching for DN-Cannot invoke method equalsIgnoreCase() on null object SAV-Error while enabling account,No account found using disable rules.

I can see the user under Deleted Users OU in AD.

@jdoma - Could you pls post the logs(not just the error part, at least 100 lines before & after) when a single task is executed for the disable account?

 

Thanks,
Amit

jdoma
Regular Contributor
Regular Contributor

Here is the complete log captured.

@jdoma - From the logs it looks like that the search was successful, the application determined the disabled account from LDAP, however the mapping for the DN could be the issue. What is the mapping for distinguished name or DN in the account attributes? 

 

Thanks,
Amit

arjungadgul
New Contributor II
New Contributor II

@amit_krishnajit - We are using below JSON for EnableAccount

{
"DISABLEACCOUNTCHECKRULE":"[CN=${user.displayname},OU=Ahm Users,OU=Ahmedabad br,DC=test,DC=com]",
"MOVEDN" : "NO",
"REMOVEGROUPS" : "NO" ,
"AFTERMOVEACTIONS" : { "userAccountControl" : "544" , "lockoutTime":"0"}
}

Now we are getting below error:

SAV-Error while enabling account,Cannot cast object '[CN=Test Management3,OU=Ahm Users,OU=Ahmedabad br,DC=test,DC=com]' with class 'java.lang.String' to class 'java.util.List'

Regards,

Arjun Gadgul

@arjungadgul - the placement of double quotes seems to be incorrect in the JSON for the parameter DISABLEACCOUNTCHECKRULE. It's a list, so the values should have double quotes instead of the list itself. 

Incorrect:
"DISABLEACCOUNTCHECKRULE":"[CN=${user.displayname},OU=Ahm Users,OU=Ahmedabad br,DC=tes
t,DC=com]",

Correct: 

"DISABLEACCOUNTCHECKRULE":[ "CN=${user.displayname},OU=Ahm Users,OU=Ahmedabad br,DC=test,DC=com"],

 

 

Thanks,
Amit

Hello @amit_krishnajit  - Thanks, We were able to fix it.

AD connector guide document is misleading - 

{
"DISABLEACCOUNTCHECKRULE": "[CN=${user.firstname}${user.lastname},cn=Users,dc=corpAD,dc=abccompany,dc=com,CN=${user.firstname}${user.middlename},cn=Users,dc=corpAD,dc=abccompany,dc=com]",
"ENABLEACCOUNTOU": "OU=CloudUsers,DC=abccompany,DC=com",
"ATTRIBUTESTOCHECK": "{userAccountControl:514,sn:${user.lastname},cn:${user.firstname}",
"REMOVEGROUPS": "YES",
"USEDNFROMACCOUNT": "YES",
"MOVEDN": "NO",
}

If you can get it corrected pleas..

Regards,

Arjun Gadgul

jdoma
Regular Contributor
Regular Contributor

Thankyou all, we are able to fix the issue using below json

{
"USEDNFROMACCOUNT": "YES",
"MOVEDN": "YES",
"REMOVEGROUPS": "NO",
"ENABLEACCOUNTOU":"OU=CloudUsers,DC=abccompany,DC=com",
"healthscopeUID": "${user.username}",
"AFTERMOVEACTIONS" : {
"userAccountControl": "512"}
}