on 11-18-2011 4:22 PM
Hey guys,
I got an issue with controlling an AD from IdM. Problem is that my deprovisioning doesn't run, at all!
I created my repository with the standard values (starting point, starting point groups, naming attribute = cn (right?)) and I defined provisioning, deprovisioning and modify tasks using the tasks in the SAP PF ADS tasks.
So I can assign a privilege (AD group) to a user in IdM. This user get's created in AD and get's added to the correct group.
Problem is when I remove this privilege again it is not getting removed from AD. Neither is the user being disabled/removed.
To answer the obvious question: Yes all the jobs are activated and have a dispatcher assigned.
What I see in the log is: Modify User. And that's it, normally I would assume that the deprovision job get's triggered next.
Hope someone has an answer for me!
regards,
Jonathan
(have a nice weekend )
Couple of things here Jonathan,
Check the Repository and make sure that the naming attribute is CN as well.
When you are deprovisioning are you doing a ModRDN or deleting the entry?
If it's a delete, specify Changetype Delete
If you're moving the user you'll need to set up a ModRDN as part of the process.
Or were you just doing something else like disabling the account via userAccountControl? Then you might need to specify a Changetype Modify.
If you're just removing the user from the group it should be specifying the DN of the group with a - member and the dn of the user.
Hope this helps!
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey Matt,
Thanks for the answer.
I am using the provisioning framework for this, so after determining that the entry type is MX_PERSOn he should go over to removing all the group assignments, disabling the user and than deleting the user.
Nothing of what you proposed seems to work however. The problem really is that deprovisioning isn't triggered. After the "ModifyUser" job has run nothing happens. Where normally he should automatically start the DeprovisionADS job.
KR,
Jonathan
Hi Jonathan,
the user you want to delete is created by the IDM within the ActiveDirectory?
the user has been read into the IDM by initial load of ActiveDirectory?
Assuming you are using IDM 7.1, please have a look at the status of attribute "MXREF_MX_PRIVILEGE". The status should be something like "1000" oder "1100". In case of "21" the IDM thinks, that the privilege isn't assigned correctly, so it doesn't start the deprovisioning after deleting the privileges within the user.
Kind regards,
Achim
hey Achim,
The user (a test user of mine) did exist in the AD when I performed the initial load. But the user also existed in the IdM at the time of the Initial Load.
Having said that I have already removed the user manually from IdM and AD. Than created him again on IdM and have IdM provision him to AD.
If I search for the MXREF_MX_PRIVILEGE entry it does not exist for this user (MSKEY)
@Matt: I switched all the deprov jobs to Windows runtime but again I don't think it's getting that far. For some reason after the ModifyUser nothing happens.
Any other ideas guys? I really appreciate the help btw. And yes, running 7.1 SP6
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.