• AD group membership not applying in actual AD

    We have created a dynamic role assignment and assign a certain AD group to it.

    The AD group appears in OIM to be added to the user, however it was not reflecting/applying to actual AD.

    No frozen jobs found in job queue. We are using version 9.0 LTS.


  • Authoritative source for Active Directory samaccountname (marriage changing of surname)

    What is the good practise regarding the updating of user accounts in the scenario of where the person gets married?

    *disclaimer* I am currently pre-implmentation certified (all theory no practise), so I have done the courses and certifications but have…

  • Keep group membership after termination

    Hello experts,

    Can someone tell me if we can keep group membership of a group assigned by a business role after termination? We have the AD account deferred for 90 days after termination. 

    Thank you,


  • How limit acess to the web portal to another Active directory accounts with the same identity


    Version: OIM 8.2

    is possible to block or to limit acess from a specifc ADSAccount (used for suport cases) to the Web portal, the method used  Actually for login is Active Directory user Account (Manual Input/Role Based)

    the question is if have some…

  • Indian Best Actor,Singer and musicion

    Maulik Nayak portrayal of 'Bhaglo' is a character who communicates volumes through silence. In the film 'Hellaro,' 'Bhaglo' is a pivotal figure who conveys a deep range of emotions and experiences without uttering a word. Nayak's performance is a testament…

  • How to create ADSContainers and invalid characters when sending emails

    I would appreciate your help with:
    1. Is there a way to create a container based on Department for a specific domain and assign a user? I tried using Synchronization Editor but only what it removed existing containers
    2. When creating a user, a mail…

  • Active directory simulation does not work

    Hi to all!

    I've configured an Active Directory connector using the remote connection plugin, it seems to work correctly except for the simulation function. When I click the simulate button I get no any results, but when I run the sync project it performs…

  • How to perform a reconciliation of Active Directory


    Is there a report available that we can use to tell us differences between what One Identity believes is in Active directory (ADSAccount) and what is actually in Active directory?

    For example: We have identified quite a few ADSAccount records where…

  • Assign Full Control of Computer to Active Directory user Account to make a rejoin.


    I have a request from customer about the possibility to give Full Control Permissions over an Active Directory Computer through One Identity Manager 8.1.5, maybe through request on ITSHOP.

    The reason is about having the permissions to make a rejoin…

  • Error carrying out the user_protectedfromaccidentaldeletion_Get operation


    I've encountered the following error when running Active Directory Initial Synchronization.

    [System.Exception] Error carrying out the user_protectedfromaccidentaldeletion_Get operation on object CN=ASPNET,CN=Users,DC="blank",DC=lan (Error: [System…

  • Remove an Active Directory domain and all its related objects

    Hello group!!

    Recently, we have decommissioned an Active Directory domain and now what we want to do is remove it from IDM and all of its related objects.

    After doing some search in the One Identity documentation, I have found this stored procedure QB…

  • SAPHR Synchronization Editor LOG Error [810235] Could not delete object from Person because there are still objects assigned


    Currently we are using version 8.1.3.

    Once in a while the client team review the log of the synchronization  project "SAPHR" (CSV File import).

    The log contains a few error messages regarding Synchronization step "Person".


  • Adding to AD Group when Employee is disabled


    I have a little problem with active directory group assignment.

    I want the disable users group to be added to the active directory account when the user is disabled.

    I also want it to be removed from all other groups except this group.

    What should…

  • deferred deletion of ADS containers stalled


    I'm trying to provision a hierarchical structure of OUs to AD. One of the problems I have is that in OIM I've created, at the same hierarchical level, multiple OUs with the same name. This seems to be allowed in OIM, but not allowed in AD; and…

  • AD sync failing with parameter exception error.

    Hi Team,

    AD sync is continuously failing with error,

    ErrorMessages (2022-05-12 11:56:52.830) [2134003] Error executing synchronization.
    [1777018] Error executing synchronization project (Active Directory Domain (DC=***,DC=INT))'s workflow (Active Directory…

  • limit access to active users

    Hi Team,

    I have set-up birth right AD group at root location so all users who are on-boarded getting added to that group but while applying the setting AD group was added to all inactive users as well.

    How can we limit this to only active users?

  • Create an Active Directory connector and do the first sync project

    I need help to create a connector with active directory, make a synchronization project and create users, if possible I would like a documentation on how to do these procedures...

    Version: 8.1.4

  • The object of type (ADSAccount) was ignored during synchronization. - Active Directory

    I'm trying to create users inside the "Manager", but not synchronize I get the message in the report: "The object of type (ADSAccount) was ignored during synchronization." - "Reason: The object has pending process steps".…

  • Error syncing AD and releasing permissions on job server

    I'm trying to sync my active directory (windows server 2016) with One identity manager but the installation doesn't recognize my Job server.
    I tried to release the sync permission by the Designer but the application does not finalize the command…

  • MarkAsOutstanding object was published/reset but revert to being outstanding

    I published and reset the outstanding group object in Active directory however it is reverting to be outstanding. What should be the best way to fix the outstanding object? I need to to publish it as the user is in need of the group membership in AD but…

  • Which filter is more suitable?

    We received a hint from our colleagues, who administrate the Active Directory, that we can exclude user objects, which have the value 2048 in the attribute userAccountControl.

    We have done first tests with our own schema class - in our opinion this worked…

  • Active Directory schema loading crash when DC in DMZ


    1IM 8.1 SP2.

    We try create synchronization project for Active Directory. DC Active Directory is place in DMZ.

    We have opened on DC only ldap(s) – 389 (ldap), 636 (ldaps), 88 (Kerberos), 53 (DNS) ports. In process loading schema we have crush report…

  • Error while provisioning or update of AD Account

    Hi Community,

    While I am trying to update the AD account attribute in ADSAccount table, the OOTB process "ADS_ADSAccount_Update/(De-)activate" triggers and it is erroring out in the provisioning step with the following error.

    Error executing synchronization…

  • Error while Provisioning AD Account

    Hi Community,

    I have been trying to provision an AD account, and created an provisioning workflow for that in the synchronization editor. But, whenever I try to update any parameter in the ADAccount table the following OOTB process "ADS_ADSAccount_Update…

  • Assign entitlements assigned to department to employees with exception

    I have AD groups assigned to Department with inheritance - how to assign this groups only to employees in this department which meet the condition?