RM Unify - Membership of a group name containing a slash may prevent user provisioning
Published Date : 17 Jun 2016
Last Updated : 23 Jul 2024
Content Ref: TEC5212534
Operating System
(none)
Part No
(none)
Summary
Explains why one or more users do not provision via AD Sync.
Symptoms
AD Sync fails to provision one or more users into RM Unify and you find the following error in the AD Sync log:
Error assigning User <username> (GUID) to Establishment Config - System.Runtime.InteropServices.COMException (0x80005000): Unknown error (0x80005000) at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) at System.DirectoryServices.DirectorySearcher.FindOne() at RM.Networks.IdentityManagement.ADHelper.GetStringMultiValueAttribute(DirectoryEntry de, String attributeName) at RM.Networks.IdentityManagement.ADHelper.IsGroupMember(String server, String groupDN, String memberDN, HashSet`1 searched) at RM.Networks.IdentityManagement.ADHelper.IsGroupMember(String server, String groupDN, String memberDN, HashSet`1 searched) at RM.Networks.IdentityManagement.DAL.Data.User.FindCorrectEstablishmentConfig(DBConnection conn, Dictionary`2 estMapping, Dictionary`2 estConfMapping, List`1 activeECs, Dictionary`2 servers).
Cause
This can occur when the affected user(s) have membership of a group with a slash (/ or \) in its name, e.g. Maintenance/Support Staff or if the group is within an OU containing a slash in its name, e.g. Users/Accounts.
Procedure
To workaround this issue, remove the affected user(s) from the group, or rename the group or OU. Use the following Windows® PowerShell commands to find those AD groups and OUs with '\' or '/' in the name:
Get-ADgroup -filter {GroupCategory -eq "Security" -and Name -like "*\*" -or Name -like "*/*"}
Get-ADOrganizationalUnit -filter {GroupCategory -eq "Security" -and Name -like "*\*" -or Name -like "*/*"}
Checks
After addressing the users and their AD groups or OUs, the accounts should automatically provision in to RM Unify. If they do not, then it may be that a resync is required. Please refer to TEC5694616 in the Other Useful Articles section below.
Possible Issues
If the provisioning issue is not resolved by a resync, it may be that AD Sync has already written the LDAP path into the local database, containing the '/' or '\' characters. If this is the case, AD Sync will be unable to process (move, update, delete) the database rows and a reinstall of AD Sync to a clean database will be required. Please see TEC5015612 in the Other Useful Articles section below for more information.