How to Manage an OU Marked as Unmanaged (edsvaExcludedFromManagedScope) in Active Roles?

Working with One Identity Active Roles, and I've encountered an OU that is marked as unmanaged, likely due to the edsvaExcludedFromManagedScope attribute being set to TRUE.

Re-enable management for a specific OU by setting edsvaExcludedFromManagedScope = FALSE.

Mannually through the GUI I cant make the change because its grayed out......

  • What's the recommended method in ARS to locate and update this attribute? GUI or PowerShell?

  • If using PowerShell, can someone share the proper Quest cmdlet syntax to update this attribute on an OU?

I tried to update this using which did not work:  

Set-QADObject -Identity "CN=MyUser,OU=Users,DC=domain,DC=com" -ObjectAttributes @{edsvaExcludedFromManagedScope=$false}

Check

Get-QADObject -Identity "CN=MyUser,OU=Users,DC=domain,DC=com" -IncludedProperties edsvaExcludedFromManagedScope |
Select-Object Name, edsvaExcludedFromManagedScope

  • With 'Advanced Details Pane' turned on, and selecting the Built-In 'Exclude From Managed Scope' policy, do you see this policy being applied to the OU in question? If so, that policy link can be removed and this will allow the OU and its content to be managed by Active Roles. If this VA has been manually set, then it might require support's involvement to see if some type of direct database change can be made.