Updates for AD accounts failing

Yasas Technologies >> Uncategorized >> Updates for AD accounts failing
 April 22, 2026
    |   No Comments
    |   Yasas Tech
    |   2:10 pm

 

Product

Symantec CA Identity Manager

Issue details

Administrators were not able to add or modify AD groups for the user

Possible Cause(s)

AD and Provisioning store sync is not working

Troubleshooting

The View Submitted Tasks in Identity Manager showed failures to add AD group to the user.

  1. While listing the accounts for the user in the Provisioning Manager, no associated AD accounts were listed. (Please note that there was no issue with the connector)
  2. Also, checked the global user attributes in the Provisioning Store via a PDI script. The attribute eTPolicyDn is null and eTADSAccountname is missing.

Solution/Fix

Step1: Find out the users who are missing the association.

A Kettle/PDI Script was created that generates a file containing active users with no AD account.

The script considers all active employees and contractors from Active Directory as input (userAccountControl=512) and checks if eTPolicyDN is empty on the Global User in the Provisioning Store. The output file contains the Global User Name of all active Global Users with no association with AD.

Step 2: Synchronizing Users with Roles

For manual processing:

  • On the server where Provisioning Manager is installed, open a command prompt and go to Provisioning Manager bin folder
  • Use the Global Username (output from step 1) as uid in below command .
  • Run Command etautil -u <admin> -<password> update ‘eTGlobalUserContainerName=GlobalUsers,eTNamespaceName=CommonObjects’ eTGlobalUser eTGlobalUserName=<uid>; eTSyncUsers=’1’

You will see the message the user updated successfully.

For batch processing:

  • On the server where Provisioning Manager is installed, create a batch file or powershell script that will loop thru the below command for each user in the Global Users file (replace Prov Admin name, Prov Admin password and the field name (Ex: uid) that has the Global User Name

<Provisioning Manager installation path>/bin/etautil -u <admin> -<password> update ‘eTGlobalUserContainerName=GlobalUsers,eTNamespaceName=CommonObjects’ eTGlobalUser eTGlobalUserName=<uid>; eTSyncUsers=’1’

  • Next, open a Command Prompt/Windows Powershell based on what was created.

Execute the batch/powershell script

Validation

  • List Accounts will show the association between Global Users and AD Accounts in the Provisioning Manager.
  • Add AD groups succeeded

Workaround

NA

Reference

NA

Author

Ketaki Mujumdar

 

Leave a Reply

Your email address will not be published. Required fields are marked *

TOP