This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deprovisioned but not deprovissioned

I am investigating why an account still exist in AD, the deprovision properties dont look right. The account do not have the big red  to show it was deprovisioned which should have eventually got removed, however when you right click, you get the undo-deprovisioning and nothing shows for deprovisioning result. See screenshot of (far left - regular deprovisioned account, middle - account with issue, right - regular active account). Why is the account with issue showing deprovision command as 2, but no deprovisiondeletiondate and no reportxml, and do not have the red X to show it was deprovisioned.

How do I insert picture?

  • How was the deprovisioning itself initiated - i.e. by a UI command or a script?  Sounds like the object is in a weird state.

    Perhaps try a Deprovision-QADUser PoSh command to fix it?

  • It should have been deprovisioned by an automated system we have setup from HR when the user got disabled last year. Since these is an audit, the auditors want to know the technical reason behind the state it is or process reason. On my end, I am curious to what cause the weird state, if an account is going through deprovision, what can cause it to not finish maybe. I believe I can fix it by changing deprovisioncommand to 1, then deprovision again but since its audit, I need to know root cause.

    Also, I cant attach a picture here (maybe it will help).

  • If you want to insert a picture in here, in the Reply editor, there is a "Insert" menu button. Click it and you'll see "Insert Image/Video file". Click it and insert the picture.

    Since you do have the Undo Deprovisioning option, it seems that perhaps one of two things happened:

    1) It was Deprovisioned but errored out part way through (which can explain the no red X and no Deprovisioning results).

    2) It was Deprovisioned and then you upgraded Active Roles and the Management History wasn't imported - or didn't make it over. Are there other users in this scenario?

    If you right-click the user and select Advanced Properties, do you see values for the following:

    edsvaDeprovisionCommands (should be a value of 2)

    edsvaDeprovisionReportXML (should contain a blob of information)

    edsvaDeprovisionStatus (should be 1)

    edsvaDeprovisionCommand (should be 1)

     

    You may also open a service request for further assistance.

  • All those values are there except ReportXML which is null.

    I try to search for all deprovision without xml and empty, I cant even use ARS to query deprovision attributes.

    Get-QADUser -ObjectAttributes @{edsvaDeprovisionCommands='2'} -IncludedProperties edsvaDeprovisionCommands | Format-Table name, edsvaDeprovisionCommands

    Get-QADUser -ObjectAttributes @{edsvaDeprovisionCommands='2', edsvaDeprovisionCommands='null'} -IncludedProperties edsvaDeprovisionCommands,edsvaDeprovisionCommands | Format-Table name, edsvaDeprovisionCommands,edsvaDeprovisionCommands

    When I try to attach picture, I only have option from web URL or Community. I cant upload from PC.