Symantec IGA

Hi experts,

I faced an issue in our prod environment, where an AD User that was created from ADUC console is not being read with the explore/correlate function. Other users created later are found with the explore, but this one still does not appear as a global user.

I tried creating users in my own lab environment, and finally the same happened here. I create users from ADUC console, only with first name, last name, username/fqdn and password (all users are named "usuario uno", "usuario dos", etc with usernames user1, user2, etc). After each user created run explore/correlation from Provisioning Manager and user appeared as global users on the console. But for some of the users I created, it did not appeared as global users. Following explore/correlation continues bringing me the new users, but this particular one is never shown.

Does this happened to someone? Or somebody does some way to debug this issue?

Thanks a lot!

I ve found that the user that does not appears as global is on the accounts container of the endpoint tree in the provisioning directory. How can I bring this user to be a global user? Reverse sync?

When doing the Correlate there is a choice between "Correlate With Existing" of "Create Users as Needed". If the first was selected and there was no matching global user the account is correlated to the [default user]. If the second was selected then a new global user would be created if there was not matching global user for the account to be correlated with. I think you would best be served by opening a support case and sharing the logs in the case so it can be reviewed further.

docldap KennyV

Hi,

I have exactly the same problem on IDM 12.6.8. Did you manage to resolve this? Please share.

Thanks,

M Mahto

Not sure what that cause/solution was for the original poster but things for you to check would be:

- that you are running "Create New As Needed" and not "Correlate With Existing"

- that the account is not already correlated to a user

- that the etanotify log on the Provisioning Server shows successful communications sent to proper IM host and IME

- that the IM VST shows the Provisioning Create User tasks and if they were Completed, Failed, or Audited

* make sure the notify queue is not backed up and that there are no errors related to missing required attributes

If further assistance is needed you may be best served by opening a support case.

KennyV

I managed to resolve this issue. Some user accounts were correlated to the default user. By listing account of default user, you can see which user accounts are linked to this user. I right clicked on the user account and delinked it with the  default user. Then ran EnC for new global users to be created. This resolved the issue.

Hi all. Sorry for delaying my answer, I found solution today. Some notify was stuck on the notify server dsa. I followed this post: How to clear Provisioning Server notification queue (inbound synchronization) 

As I had a lot of notify objects queued, I erase entire DB with 

dxemptydb < HOSTNAME-impd-notify>

Run another correlation and users where created ok. Thanks all!