• State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 97 subscribers
  • Views 11456 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD account is getting created in disabled state

IDM Engineer
over 8 years ago

Hello

Account is getting created in AD but is in disabled state, OIM account is fine. AdHocProjection is failing with the following error:

ErrorMessages = [2134002] Error executing an adhoc projection!
[1777018] Error executing workflow (Provisioning) of synchronization project (Active Directory Domain (DC=TEST,DC=COM)).
[1777124] Error executing projection step (user) of projection configuration (Provisioning (Provisioning)).
[1777219] Error executing projection step (user)!
[1777004] Method (Insert object (Insert)) could not be executed successfully.
[2226012] Error committing object new object of type user.(Error: Error committing object CN=John Doe,OU=users,DC=test,DC=com.(Error: New object created for second commit.
Property cn should be set.
Property objectClass should be set.
Property sAMAccountName should be set.
Internal error in COM access layer: number: 80071392, description: The object already exists.

The object already exists.

Error deleting object CN=John Doe (DEV),OU=users,DC=test,DC=com.(Error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)))
))

 

 

 

 

 

 

 

 

 

 

  • 0 over 8 years ago
    What happens is that the first insert runs to an exception and then the account is tried to be deleted and this fails as well. Then the second insert try fails as the object is already there. This shouldn't happen in the 7.1.1. What system are you running? If you are not running on the 7.1.1, please update the system.
  • 0 over 8 years ago
    We are using 7.0.2. There is no plan to move to 7.1.1 at this time. Is there a hotfix or something available?
  • 0 over 8 years ago
    To get around the problem try to figure out with help of NLog why the first insert fails.
    The Hotfix for the bug 26823 might help. Please contact to the support to get this.
  • 0 over 8 years ago
    It might be that with the help of NLog the problem why the first insert fails would be found. If the first insert would not fail, there would be no problem.
  • 0 over 7 years ago
    There are 2 reason. First is really there is an existing object with the same sameaccountname/cn or distinguishedname in AD. Second is you don't have enough permissions which you use identity manager service account and also AD synchronization account. I faced the similar error newly. You can test it easily; First you can open AD Users And Computers Console as your IDM AD synchronization user. Then try to create a new user in the same OU. You will see that you can create user but it throw some errors and get your user statu's to disabled.