search cancel

Password change fails propagating to an account with the error message - Password change is not permitted on deleted account

book

Article ID: 257599

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

Password change fails propagating to an account with the error message - Password change is not permitted on deleted account

Environment

All Identity Manager

Cause

On the Endpoint Settings tab for the endpoint there is a configuration option for "Accounts will enter Delete Pending state". When an endpoint is configured in this way then the eTAccountDeletable attribute on the endpoint would be set to value of 0 and the accounts will not be deleted but will be set as DeletePending. If you want the accounts to be deleted instead of marked for DeletePending then make sure your endpoints are not configured in that way.

The intent is that once an account is marked as DeletePending that it will not exit from that state and the account should later be deleted. In order to delete the account you would first need to make sure tha the "Allow forced delete of accounts" is enabled on the Endpoint Settings tab for the endpoint which would set the eTAccountForcedDeletable attribute on the endpoint to value of 1. You could then modify the account via ldapmodify or etautil or an ldapbrowser to set the eTForcedDelete attribute on the account to the value of 1 which will trigger the actual account deletion.

It is not a designed behavior to try to force a DeletePending account out of that state. When an account is set as DeletePending then the eTSuspendedDate, eTSuspendedTime,and eTSuspendedReason attributes on the account are set. While you could use ldapmodify or etautil or an ldapbrowser to clear these three attributes from the account keep in mind that the account may not still be in a desired state since when it was set as DeletePending all account templates were removed from the suspended accounts and any multi-valued capability attributes on the suspended accounts were cleared.

Resolution

Decide if you want the DeletePending behavior or not. Review the Endpoint Settings tab of the endpoint to check the settings to make sure they are they way you want them to be.

For the existing accounts in the DeletePending state you need to either Force Delete them as explained or you need to clear the three attributes which denote the account as being in the DeletePending state.

Additional Information

Here are some related doc links regarding Delete Pending :

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/administrating/managed-endpoints-and-provisioning/managed-endpoint-accounts/advanced-account-operations/use-delete-pending.html

https://ftpdocs.broadcom.com/cadocs/0/CA%20Identity%20Manager%20r12%205%20SP12-ENU/Bookshelf_Files/HTML/idocs/237670.html

https://knowledge.broadcom.com/external/article?articleId=206637