Error in removing groups from Active Directory Account Template using User Console
search cancel

Error in removing groups from Active Directory Account Template using User Console


Article ID: 261711


Updated On:


CA Identity Suite CA Identity Manager


Error when trying to remove a group from ADS Account Template using the IM User Console with the "Modify Active Directory Account Template". No error if using Provisioning Manager.

Failed to execute UnassignActiveDirectoryGroupFromAccountTemplate. ERROR MESSAGE: [LDAP: error code 16 - :ETA_E_0007, Active Directory Account Template 'MY_TEMPLATE' modification failed: DB Modify failed: No such attribute (ldaps://IMPS_HOST:20391) ]; remaining name 'eTADSPolicyName=MY_TEMPLATE,eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im,dc=eta'


All Identity Manager


If using the Provisioning Manager to create an AD Template and set a group value and if the search for a group to set is done by selecting a specific domain to do the search then this will then add a group value to the template in the format such as CN=Administrators,CN=Builtin,DC=XXX,DC=YYY\;DC_HOST which cannot be removed after with the IM User Console.

Note that if you instead did a search with DOMAIN=ALL in the template then the added group value instead would be in the format of CN=Administrators,CN=Builtin,DC=? and that would be allowed to be removed by the IM User Console since that is the same format that adding groups via the IM User Console would use.


Engineering has completed their full review and have determined that due to product limitations between the IM and Provisioning layers this cannot be addressed and they will be documenting this in the product documentation. If you use the Provisioning Manager to update the values by using a specific domain search you will only be able to maintain the value via the Provisioning Manager.