This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Group Memberships not being added in Active Directory ( v 7.0 sp1)

We are importing users from HR system and creating a new Person record. Once created  we assign birthright group  membership using business roles.  Identity Manager show the user have  the groups but when I check in Active directory user and computers the user only have Domain Admin Users.

 We have Groups Membership assigned based in  the IT Data for Department and those groups are being projected correctly in AD.  Looks like the issue is only for Groups Membership for business roles.

This functionality was working perfectly and stop working without major changes in our environment. The only change we recall before we notice the issue was this https://documents.software.dell.com/identity-manager/7.0.1/one-identity-manager-connector-user-guide/setting-up-synchronization-with-the-one-identity-manager-connector/configuring-memberships-provisioning this was applied due Identity manager was removing users from groups.

All the users have the Groups Can be Inherit flag set.

I also created a new business role  for testing and for that role worked fine propagating groups membership to AD, but after couple days this new business role stop working like the other business role.

Parents
  • The error is saying that the Active Directory user does not exist. The job is trying to process the ObjectKeyMember for the DPRMembershipaction. In this case it points to an ADSAccount that doesn't exist anymore or there are not enough rights.

    The stament processes only those entries from the DPRMembershipaction where ObjectKeyBase is an ADSGroup that still exists in the database. For the other object types the statement needs to be modified. The statement is for help to get the memberships published that were not published in the 7.0.1, because of the bug.
    Cleaning up entries that are not more valid is taken care through the process DPR_MemberShipActions_RemoveOrphanedEntries. It removes all records from DPRMembershipAction having no corresponding job in jobqueue and are older than 10 minutes. Per default this process runs once a day started by the daily maintenance tasks.
Reply
  • The error is saying that the Active Directory user does not exist. The job is trying to process the ObjectKeyMember for the DPRMembershipaction. In this case it points to an ADSAccount that doesn't exist anymore or there are not enough rights.

    The stament processes only those entries from the DPRMembershipaction where ObjectKeyBase is an ADSGroup that still exists in the database. For the other object types the statement needs to be modified. The statement is for help to get the memberships published that were not published in the 7.0.1, because of the bug.
    Cleaning up entries that are not more valid is taken care through the process DPR_MemberShipActions_RemoveOrphanedEntries. It removes all records from DPRMembershipAction having no corresponding job in jobqueue and are older than 10 minutes. Per default this process runs once a day started by the daily maintenance tasks.
Children
No Data