This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ad group not assigned

Hello experts,

(Ver 7.1.2)

We have an active directory group that is not being assigned as we expected.

 

We have a Service item published in the IT shop that has an Active directory group associated. Whenever an employee requests it and the approval workflow is completed, the item is correctly assigned… But the AD group isn’t.

We have checked that the “Groups can be inherited” checkbox of the ad account is enabled.

 

Is there a configuration parameter or something that should be enabled in order to behave as we described?

 

Thanks in advance.

Parents
  • Is your ad user marked as outstanding (or as to be deleted) in OneIM?

    Is your ad group marked as outstanding (or as to be deleted) in OneIM?

    Does the group gets assigned to other AD user?

    Does AD user has different categories set as the AD Group?

  • Marcus,

    Neither the Ad user nor the group are marked as outstanding (or be deleted) and the group isn’t being assigned to any user via request and assignation.

  • Hi,

    I think what Markus meant is, can the group be manually assigned to other users, or do other users have the group assignment without issue?

    Are other group requests working?

    Thanks

  • Hi Trevor,

    Thanks for the clarification.

    Manually assignations of the group are working ok. We have a couple of users already assigned to it. This is the only ad group that should be assigned via request so i can't really answer the last question.

  • After request and approval workflow succeeded, you should see the followings (sequence) for an AD group member change: 1) the entry added to ADSAccountInAGSGroup table, 2) the job "Create by QBMDBQueueProcess:handle object update for object type ADSGroup", 3) ADS_ADSGroup_Update. If all work with no error the requested membership will be changed in AD. In addition, ensure DPRMembershipAction table has no entries related ADSAccountInADSGroup that is for the group requested. HTH 

  • Hi xd

    I don´t see any events in the JobQueueInfo related to the ADSGroup membership. Not ADSAccountInADSGroup event or anything event related to the Active Directory is executed, just the resource is assigned to the user.
    The ADSAccountInADSGroup table has no entry with the account and the group needed.

    Finally, our DPRMembershipAction table is empty and we do not know if the other groups work, because we only request these three groups through the catalog. All our AD groups are Global and Security

    Thanks in advance

Reply
  • Hi xd

    I don´t see any events in the JobQueueInfo related to the ADSGroup membership. Not ADSAccountInADSGroup event or anything event related to the Active Directory is executed, just the resource is assigned to the user.
    The ADSAccountInADSGroup table has no entry with the account and the group needed.

    Finally, our DPRMembershipAction table is empty and we do not know if the other groups work, because we only request these three groups through the catalog. All our AD groups are Global and Security

    Thanks in advance

Children
  • The issue seems that the approved request for AD group in ITShop does not fire the sequence processes to update group member.

    A new entry In ADSAccountInADSGroup table for the user who requested ad group will be added once the request is approved. Check if the user request still shows in PersonWantsOrg as Assigned, BTW do you publish ad groups to ITShop with OOTB process and script?

  • Just to check you mentioned "just the resource is assigned to the user". For an ad group assignment, you should only see the requested group associated to recipient's ad user account (none should be assigned to Person).