Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error while provsioning AD account.

Go to solution
TheSaviyntBoy
Regular Contributor
Regular Contributor

‎04/29/2024 11:11 AM

Hi,

I am trying to provision an AD account via Saviynt and getting the following error:

TheSaviyntBoy_0-1714414142256.png

My createaccountjson: 

{
"co": "${user.country}",
"department": "${user.departmentname}",
"description": "Created through Saviynt",
"displayname": "${user.username}",
"employeeNumber": "${user.customproperty1}",
"employeeType": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"sAMAccountName": "${user.username}",
"sn": "${user.lastname}",
"st": "${user.state}",
"title": "${user.title}",
"userPrincipalName": "${user.username}@domain.org",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
]
}

 

AccountNameRule: 

CN=${user.username},OU=Saviynt_Dev_1,OU=Saviynt UAT,OU=XXX,DC=XXX,DC=XXX

Thank you. 

Labels:
0 Kudos
9 REPLIES 9

Go to solution
Raghu
All-Star
All-Star

‎04/29/2024 11:23 AM

@TheSaviyntBoy  can you check you have access to create account in AD or not , check with them


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

Go to solution
rushikeshvartak
All-Star
All-Star

‎04/29/2024 11:44 AM

Service Account in AD Connector does not have sufficient access to create account in AD.

LDAP error code 50 typically indicates that the requested operation is not permitted. In the context of Active Directory (AD), this error commonly occurs due to insufficient permissions or access rights. To resolve this issue, you need to ensure that the account used to perform the operation has appropriate permissions in the AD environment.

  1. Create User Objects: The service account must have the "Create User Objects" permission on the desired Organizational Unit (OU) or container where the user accounts will be created. This permission allows the service account to create new user objects within that OU.


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Go to solution
dgandhi
All-Star
All-Star

‎04/29/2024 12:00 PM

The service account that you are using doesnt have enough permission.

Can you try one thing?

Try to create same account directly in AD with same service account and see if the account is getting created successfully. 

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

Go to solution
TheSaviyntBoy
Regular Contributor
Regular Contributor

‎05/02/2024 12:47 AM

It was the permission issue for that particular OU. Thank you @Raghu @rushikeshvartak @dgandhi 

But now I am getting a different error: 

2024-05-02T13:02:37+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-10-6qp52-ERROR-Error while creating account in AD - [LDAP: error code 16 - 00000057: LdapErr: DSID-0C0912F3, comment: Error in attribute conversion operation, data 0, v4f7c]

CreateAccountJSON: 

{
"accountExpires": "0",
"co": "${user.country}",
"company": "Static COmpany value",
"department": "${user.departmentname}",
"displayName": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"employeeNumber": "${user.customProperty1}",
"email": "${user.email}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mailnickname": "${user.username}",
"name": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"manager": "${ if (managerAccount == null || managerAccount?.comments == null || managerAccount?.comments == '' || managerAccount == '01'){''} else {managerAccount?.comments} }",
"objectClass": ["top", "person", "organizationalPerson", "user"],
"pwdLastSet": "0",
"physicalDeliveryOfficeName": "${user.location}",
"Office": "${user.location}",
"sAMAccountName": "${user.username}",
"sn": "${user.lastname}",
"st": "${user.state}",
"title": "${user.title}",
"password": "Saviy@nt12345",
"userPrincipalName": "${user.email}",
"userAccountControl": 512
}

I suspect one of the attribute here is breaking?

Thank you.

0 Kudos

Go to solution
Raghu
All-Star
All-Star
In response to TheSaviyntBoy

‎05/02/2024 12:52 AM

@TheSaviyntBoy  try chnage  like below and chekc it 

"employeeNumber": "${user.customproperty1}",

 


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

Go to solution
TheSaviyntBoy
Regular Contributor
Regular Contributor
In response to Raghu

‎05/02/2024 12:59 AM

Still getting the same error. Also updating the createaccountjson, missed a few attributes in the previous one. 

{
"accountExpires": "0",
"co": "${user.country}",
"company": "Static company name",
"department": "${user.departmentname}",
"description": "Created through Saviynt",
"displayName": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"employeeNumber": "${user.customproperty1}",
"employeeType": "${user.employeeType}",
"mail": "${user.email}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mailnickname": "${user.username}",
"name": "${user.preferedfirstname!=null ? user.preferedfirstname : user.firstname} ${user.lastname}",
"manager": "${ if (managerAccount == null || managerAccount?.comments == null || managerAccount?.comments == '' || managerAccount == '01'){''} else {managerAccount?.comments} }",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"pwdLastSet": "0",
"physicalDeliveryOfficeName": "${user.location}",
"Office": "${user.location}",
"sAMAccountName": "${user.username}",
"sn": "${user.lastname}",
"st": "${user.state}",
"title": "${user.title}",
"password": "Saviy@nt12345",
"userPrincipalName": "${user.email}",
"userAccountControl": 512
}

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to TheSaviyntBoy

‎05/02/2024 10:01 PM

Remove manager attribute 


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.
0 Kudos

Go to solution
Manu269
All-Star
All-Star
In response to TheSaviyntBoy

‎05/02/2024 11:26 PM

Validate with the sample from this thread :

Solved: Error in my createaccountjson for Active Directory - Saviynt Forums - 20690

Solved: Create Account Json - Manager - Saviynt Forums - 24866

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.
0 Kudos

Go to solution
TheSaviyntBoy
Regular Contributor
Regular Contributor

‎05/07/2024 12:10 AM

The "password" attribute was causing the issue, as well as the permissions issue too. Its working now.

Thank you guys.

0 Kudos
Copyright © 2024 Khoros, LLC