Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

How to remove AD account attribute value

Regular Contributor
Regular Contributor


I need to remove the manager field value (and potentially other AD account fields) when an AD account is disabled. I have the following in my DISABLEACCOUNTJSON - 

"deleteAllGroups": "Yes",
"userAccountControl": "514",
"moveUsertoOU": "OU=my terminations OU......",
"description": "Disabled by EIC",
"manager": "''"

But this returns the following error - 

Error while Delete operation for account-xxxxxxx in AD - [LDAP: error code 32 - 00000525: NameErr: DSID-031A120B, problem 2001 (NO_OBJECT), data 0, best match of: '' ] Error while De....

I have also tried setting SUPPORTEMPTYSTRINGS to TRUE and FALSE and see same error message. 


New Contributor III
New Contributor III

AD Will not accept manager value being null. Check with your AD team on the use case 

Regular Contributor
Regular Contributor


There is no policy on the AD side. AD does allow the manager field to be cleared out. 

Saviynt Employee
Saviynt Employee

@asp , You are not sending an empty value to AD. You are actually sending two single quotes. ED expects a valid DN for manager and therefore is complaining that it is not able to find the manager account. 

You can try sending empty value:  "manager": ""

or, a null value: "manager": null

Please try and let me know how it goes. 




Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.