This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ad group not assigned

Hello experts,

(Ver 7.1.2)

We have an active directory group that is not being assigned as we expected.

 

We have a Service item published in the IT shop that has an Active directory group associated. Whenever an employee requests it and the approval workflow is completed, the item is correctly assigned… But the AD group isn’t.

We have checked that the “Groups can be inherited” checkbox of the ad account is enabled.

 

Is there a configuration parameter or something that should be enabled in order to behave as we described?

 

Thanks in advance.

Parents Reply Children
  • After request and approval workflow succeeded, you should see the followings (sequence) for an AD group member change: 1) the entry added to ADSAccountInAGSGroup table, 2) the job "Create by QBMDBQueueProcess:handle object update for object type ADSGroup", 3) ADS_ADSGroup_Update. If all work with no error the requested membership will be changed in AD. In addition, ensure DPRMembershipAction table has no entries related ADSAccountInADSGroup that is for the group requested. HTH 

  • Hi xd

    I don´t see any events in the JobQueueInfo related to the ADSGroup membership. Not ADSAccountInADSGroup event or anything event related to the Active Directory is executed, just the resource is assigned to the user.
    The ADSAccountInADSGroup table has no entry with the account and the group needed.

    Finally, our DPRMembershipAction table is empty and we do not know if the other groups work, because we only request these three groups through the catalog. All our AD groups are Global and Security

    Thanks in advance

  • The issue seems that the approved request for AD group in ITShop does not fire the sequence processes to update group member.

    A new entry In ADSAccountInADSGroup table for the user who requested ad group will be added once the request is approved. Check if the user request still shows in PersonWantsOrg as Assigned, BTW do you publish ad groups to ITShop with OOTB process and script?

  • Just to check you mentioned "just the resource is assigned to the user". For an ad group assignment, you should only see the requested group associated to recipient's ad user account (none should be assigned to Person).