Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Error while provsioning AD account.

TheSaviyntBoy
Regular Contributor
Regular Contributor

Hi,

I am trying to provision an AD account via Saviynt and getting the following error:

TheSaviyntBoy_0-1714414142256.png

My createaccountjson: 

{
"co": "${user.country}",
"department": "${user.departmentname}",
"description": "Created through Saviynt",
"displayname": "${user.username}",
"employeeNumber": "${user.customproperty1}",
"employeeType": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"sAMAccountName": "${user.username}",
"sn": "${user.lastname}",
"st": "${user.state}",
"title": "${user.title}",
"userPrincipalName": "${user.username}@domain.org",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
]
}

 

AccountNameRule: 

CN=${user.username},OU=Saviynt_Dev_1,OU=Saviynt UAT,OU=XXX,DC=XXX,DC=XXX

Thank you. 

9 REPLIES 9

Raghu
Valued Contributor III
Valued Contributor III

@TheSaviyntBoy  can you check you have access to create account in AD or not , check with them


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

rushikeshvartak
All-Star
All-Star

Service Account in AD Connector does not have sufficient access to create account in AD.

LDAP error code 50 typically indicates that the requested operation is not permitted. In the context of Active Directory (AD), this error commonly occurs due to insufficient permissions or access rights. To resolve this issue, you need to ensure that the account used to perform the operation has appropriate permissions in the AD environment.

  1. Create User Objects: The service account must have the "Create User Objects" permission on the desired Organizational Unit (OU) or container where the user accounts will be created. This permission allows the service account to create new user objects within that OU.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

dgandhi
All-Star
All-Star

The service account that you are using doesnt have enough permission.

Can you try one thing?

Try to create same account directly in AD with same service account and see if the account is getting created successfully. 

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

TheSaviyntBoy
Regular Contributor
Regular Contributor

It was the permission issue for that particular OU. Thank you @Raghu @rushikeshvartak @dgandhi 

But now I am getting a different error: 

2024-05-02T13:02:37+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-10-6qp52-ERROR-Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C0912F3, comment: Error in attribute conversion operation, data 0, v4f7c]

CreateAccountJSON: 

{
"accountExpires": "0",
"co": "${user.country}",
"company": "Static COmpany value",
"department": "${user.departmentname}",
"displayName": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"employeeNumber": "${user.customProperty1}",
"email": "${user.email}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mailnickname": "${user.username}",
"name": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"manager": "${ if (managerAccount == null || managerAccount?.comments == null || managerAccount?.comments == '' || managerAccount == '01'){''} else {managerAccount?.comments} }",
"objectClass": ["top", "person", "organizationalPerson", "user"],
"pwdLastSet": "0",
"physicalDeliveryOfficeName": "${user.location}",
"Office": "${user.location}",
"sAMAccountName": "${user.username}",
"sn": "${user.lastname}",
"st": "${user.state}",
"title": "${user.title}",
"password": "Saviy@nt12345",
"userPrincipalName": "${user.email}",
"userAccountControl": 512
}

I suspect one of the attribute here is breaking?

Thank you.

Raghu
Valued Contributor III
Valued Contributor III

@TheSaviyntBoy  try chnage  like below and chekc it 

"employeeNumber": "${user.customproperty1}",

 


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

TheSaviyntBoy
Regular Contributor
Regular Contributor

Still getting the same error. Also updating the createaccountjson, missed a few attributes in the previous one. 

{
"accountExpires": "0",
"co": "${user.country}",
"company": "Static company name",
"department": "${user.departmentname}",
"description": "Created through Saviynt",
"displayName": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"employeeNumber": "${user.customproperty1}",
"employeeType": "${user.employeeType}",
"mail": "${user.email}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mailnickname": "${user.username}",
"name": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"manager": "${ if (managerAccount == null || managerAccount?.comments == null || managerAccount?.comments == '' || managerAccount == '01'){''} else {managerAccount?.comments} }",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"pwdLastSet": "0",
"physicalDeliveryOfficeName": "${user.location}",
"Office": "${user.location}",
"sAMAccountName": "${user.username}",
"sn": "${user.lastname}",
"st": "${user.state}",
"title": "${user.title}",
"password": "Saviy@nt12345",
"userPrincipalName": "${user.email}",
"userAccountControl": 512
}

Remove manager attribute 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Validate with the sample from this thread :

Solved: Error in my createaccountjson for Active Directory - Saviynt Forums - 20690

Solved: Create Account Json - Manager - Saviynt Forums - 24866

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.

TheSaviyntBoy
Regular Contributor
Regular Contributor

The "password" attribute was causing the issue, as well as the permissions issue too. Its working now.

Thank you guys.