AD group membership not applying in actual AD

Hi Kristine,

A few things to check;

-Do you see an entry in the table 'ADSAccountInADSGroup' for the assignment? This is the table that (normally) would trigger the provisioning process... So if there is no entry there that's the first thing to tackle.

-If there is an entry, is it 'InEffect'? Group inheritance can be disabled due to multiple things (Security risk, identity being disabled etc).

-Assuming it is in the table and is InEffect, do some other group provisioning work or is there no functioning group inheritance?

Yes, there is entry in the table ADSAccountinADSGroup for this group assignment and the Xineffect is enabled. 

I am seeing that the group has been assigned in OIM but it was not reflecting/ applying in actual AD.

Yes, there is entry in the table ADSAccountinADSGroup for this group assignment and the Xineffect is enabled. 

I am seeing that the group has been assigned in OIM but it was not reflecting/ applying in actual AD.

I assume, your synchronization project to AD is configured to provision changes to AD? You can check in Synchronization Editor.

Did you check your process history for AD group update processes for the group where the membership is missing?

Yes the AD sync is configured to make changes to actual AD. I also, check the history and does not find any error in the sync logs

What CU did you apply to your 9.0 LTS?

Hi markus, we are currently using CU 9.0.0.108

Hi markus, we are currently using CU 9.0.0.108

To identify the CU please check the following link https://support.oneidentity.com/kb/4257755/how-to-identify-the-version-of-one-identity-manager


In addition, did you check the point mentioned by Jos  "-Assuming it is in the table and is InEffect, do some other group provisioning work or is there no functioning group inheritance?"

And, did you check the flag XMarkedForDeletion at the entry in ADSAccountInADSGroup? Does it have any other value than zero?

Hi makus,

the QBM version is 9.0.0.108

Yes, 1 group provisioning work in our environment. The difference between the group that is working is that it is in the group-managed. Would you know how to add the group in (group-managed) instead od group-unmanaged?

I just checked the ADSAccountinADSGroup table and I don't see any value other then 0 in Xmarkfordeletion field.

I am sorry, but can you elaborate a little bit what a group-managed is for you?

Hi Markus, so when I browse through the synchronization project mappings there is group, group-managed and group-unmanaged the newly created AD group is in group-unmanaged.

OOTB there is only one mapping called group. Your other mappings are custom ones. You need to check the condition (where-clause) for the custom schema classes used in these mapping to identify what defines a group-managed and a group-unmanaged.