Issue:
When using Identity Manager for Provisioning, the Global User must have a provisioning role, which contains an account template that is connected to the desired endpoint. When these steps are performed the endpoint account will be created and associated with an account template, and you can check that under Global User > List Accounts > Account Properties > Account Templates
It should look like the below image:
If it looks like this second image, the account has no template and needs to be re-synchronized:
Identity Manager 14.x
If the endpoint account does not have an account template associated with it, no downstream updates will happen when a sync operation is being triggered.
In some cases, an out-of-bounds move of an account by a system owner from one location to another will cause the inclusion object to be removed from the account object in the provisioning directory which will cause this issue to occur.
The symptoms you'll see while having this problem in your environment will be that user endpoint accounts are not being updated when changes are made to the global user. The errors in the etatrans log would be:
User Account 'USER_NAME' on 'ENDPOINT_NAME' synchronization check skipped
no associated account templates
In the Provisioning Manager GUI it will state the the endpoint account is unchanged.
Resolution:
First, make the following two changes in Provisioning Manager under System > Domain Configuration:
<Please see attached file for image>
By selecting these two settings. you are setting Identity Manager to automatically correlate accounts on creation if the account exist on the same container location in the Account Template or use any existing account on the end point with the same account name regardless of the account template container.
Once these two settings are changed to yes, the "Sync User with Roles" operation must be performed in order to associate existing accounts with their appropriate templates.
Then select the "Add missing accounts and account template assignments" option and click yes.
When the operation is launched, the system will try to create a new account based on the Provisioning Role and account template.
now, as the account already exists in the system but may be in a different container, the settings above will cause Identity Manager to ignore the container part in the account template and assign the account template the already existing account.
This can automate this by using bulk task or custom TEWS call
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdl="http://tews6/wsdl">
<soapenv:Header/>
<soapenv:Body>
<wsdl:DoSynchUserRoles>
<wsdl:DoSynchUserRolesSearch>
<wsdl:Subject index="0">
<wsdl:UID>samforest</wsdl:UID>
</wsdl:Subject>
<wsdl:Filter index="0">
<wsdl:Field>%USER_ID%</wsdl:Field>
<wsdl:Op>equals</wsdl:Op>
<wsdl:Value>samforest</wsdl:Value>
</wsdl:Filter>
</wsdl:DoSynchUserRolesSearch>
<wsdl:DoSynchUserRolesDoSynchUserRolesTab>
<wsdl:addMissing>true</wsdl:addMissing>
</wsdl:DoSynchUserRolesDoSynchUserRolesTab>
</wsdl:DoSynchUserRoles>
</soapenv:Body>
</soapenv:Envelope>
Sample command line using the ETAUTIL command:
etautil" -u <admin user> -p ********* update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=<domain>' eTGlobalUser eTGlobalUserName='<Global User Name>' to eTSyncUsers=1