Chat now with support
Chat with Support

Identity Manager 7.1.5 - Release Notes

Release Notes

One Identity Manager 7.1.5

Release Notes

March 2019

These release notes provide information about the One Identity Manager release, version 7.1.5. You will find all the modifications since One Identity Manager version 7.1.4 listed here.

One Identity Manager 7.1.5 is a patch release with enhanced features and functionality. See Enhancements.

If you update a One Identity Manager version that is older that One Identity Manager 7.1.4, read the release notes from the previous versions as well. You will find the release notes and the release notes about additional modules based on One Identity Manager technology under One Identity Manager Support.

You will find a summary of the changes made in Web Designer since the last release in Changes in Web Designer.

One Identity Manager documentation is available in both English and German. The following documents are only available in English:

  • One Identity Manager Password Capture Agent Administration Guide

  • One Identity Manager LDAP Connector for CA Top Secret Reference Guide

  • One Identity Manager LDAP Connector for IBM RACF Reference Guide

  • One Identity Manager LDAP Connector for IBM AS/400 Reference Guide

  • One Identity Manager LDAP Connector for CA ACF2 Reference Guide

  • One Identity Manager REST API Reference Guide

  • One Identity Manager Web Runtime Documentation

  • One Identity Manager Object Layer Documentation


About One Identity Manager 7.1.5

One Identity Manager simplifies the process of managing user identities, access permissions and security policies. You allow the company control over identity management and access decisions whilst the IT team can focus on their core competence.

With this product, you can:

  • Implement group management using self-service and attestation for Active Directory with the One Identity Manager Active Directory Edition
  • Realize Access Governance demands cross-platform within your entire concern with One Identity Manager

Each one of these scenario specific products is based on an automation-optimized architecture that addresses major identity and access management challenges at a fraction of the complexity, time, or expense of "traditional" solutions.


The following is a list of enhancements implemented in One Identity Manager 7.1.5.

Table 1: General known issues


Issue ID

The connection server already provided for transferring data to a One Identity Manager History Database is now used. To use this function, enable the configuration parameter HDB | UseNamedLinkedServer in the One Identity Manager History Database and enter the connection server in the One Identity Manager History Database as server for the source database.


Improved logging of error messages when transferring data to the One Identity Manager History Database.


Improved performance when updating the One Identity Manager database.


Improved logging in the application server.


Improved performance in DBQueue Processor.

30763, 30626, 31293

The script VID_FindAndReplaceByLine has been deleted.


Improved execution of templates through One Identity Manager Service.


Improvements in the Job Queue Info.

  • If the DBQueue contains more than 250000 calculation tasks, the operation There are more tasks to be processed is displayed in the DBQueue. This shows the number of queued tasks that cannot currently be shown in the DBQueue overview.


Process handling is interrupted during processing of DBQueue Processor triggers and constraints.


Improved logging of terminated DBQueue slots.


Improved protection of the application server's API.

31299, 31300

Improved protection against damaging SQL statements.

31299, 31301

Table 2: General web applications


Issue ID

Improved performance in the Web Portal for:

  • Displaying the request history

  • Editing questions about attestation cases

  • Approving requests

  • Determining an employee's entitlements

30470, 30471, 30673, 30863, 31192
Table 3: Target system connection


Issue ID

Optimized calculation of inheritance for group memberships. 30076

Improved performance for individual provisioning of memberships and for synchronization.

30667, 30864, 30922

Improved performance synchronizing Microsoft Exchange recipient lists.


Improved performance calculating Azure Active Directory group memberships.


Property mapping rules that are no longer required are removed from the OwaMailboxPolicy map.

A patch with the patch ID VPR#30498 is available for synchronization projects.


Improved performance synchronizing Exchange Online recipient lists.

30959, 31162

In the Exchange Online connector, the list of error messages has been extended based on the assumption that the connection failed, by:

An error caused a change in the current set of domain controllers.

Your request is too frequent. Please wait for few minutes and retry.

Topology Provider could not find the Microsoft Exchange Active Directory Topology service on end point.


Spaces in distinguished names of LDAP objects are tolerated.


Improved performance

  • Calculating SAP functions

  • Calculating SAP group, role and profile hierarchies.

  • Synchronizing role assignments with the central system of a CUA (UserInCUARole)

    A patch with the patch ID VPR#30941 is available for synchronization projects.

30299, 30743, 30675, 30941

Table 4: Identity and Access Governance


Issue ID

If the option Temporarily disabled is not set for an employee and the date for Temporarily disabled from is in the future, the date for Temporarily disabled from and Temporarily disabled until are not deleted.


Improved performance approving requests.


See also:


The following is a list of solved problems in this version.

Table 5: General

Resolved issue

Issue ID

Error testing email addresses for uniqueness, if an email address was recalculated with a template but the old and the new values are identical.


The function QBM_FSQRemoveComment does not recognize Linux carriage return.


Ctrl+C does not copy the selected value in the Process step view in Job Queue Info.


The script for selecting the server in a process step (Job.ServerDetectScript) is not implicitly extended by a Try-Catch-Block.


If an object column and another column in the table QBMColumnTranslation are interrelated, the program exits because it cannot load these objects.


Compilation fails if the process or process step contains quotation marks (") in names.


Error filling raw tables if the One Identity Manager database and the History Database are installed in the same cluster. 30455

Under certain conditions, the database ends up in a trigger-free state if transport fails.

30459, 30447

Performance problems determining permissions.


Wrong short name for the state of Newfoundland and Labrador.


After extending the schema of custom read-only tables, new columns with the option Customer can configure are set to the value 0.


Error in the method SqlFormatter.NotInClause.


Problems initializing the Job queue if a large number of queues are affected.


The physical dependency between DBQueue Processor tasks does not consider tasks without parameters.


Terminated slots are identified correctly if the SQL Server reuses the SPID.


The procedures for shrinking the entries in the tables DialogWatchOperation, JobHistory and DialogProcessChain do not shrink in blocks.


Timestamps on changes made in the database in Designer are shown in UTC.


Triggers are not generated for DBQueue Processor tasks that record changes to configuration data.


Migration does not remove non-linear dependencies correctly.


In reports, IN clause queries on UID and XObjectKey columns are listed with Unicode strings.


The limit for IN clause in report queries is not kept to correctly.


Error retrying process steps with the status MISSING. 30752

The procedure QBM_PCustomSQLFill fails with the message Violation of PRIMARY KEY constraint.

There is a new consistency check Index name longer than 30 characters.


The customizer method GetNextID fails when executed in Designer.


Relaying processes is being blocked because the procedure QBM_PJobUpdateState is being called to frequently.


If a Job destination ID contains a special character, the links on the One Identity Manager Service status page do not work.


Job Queue Info ends unexpectedly, if there is a filter on the system journal and it returns a lot of entries.


The procedure ProcessShrink leaves behind entries with BasisObjectType=<unknown Object> in the DialogProcess table.


The state of Florida has the wrong timezone.


Starting and ending the Database Compiler in Designer leaves a Wait for compiler entry in the DBQueue. 30094

The 's configuration data is always used when logging into a dynamic authentication module.Manager


An error can occur during execution of DBQueue tasks in connection with the task QBM_PDBQueueReplGenProcID.


Line breaks in the header of CSV files are not written back correctly. A CR is converted to a CR/LF.


In certain circumstances, the procedure QBM_PIndexDropRedundant deletes required default indices.


The One Identity Manager Service returns the process steps but the slots remain blocked.


The procedure QBM_PDBQueueOverviewFill updated the table DBQueueOverview too frequently.

30800, 31217, 31296

Error in the German translation of entries in the DBQueueTasks table.


Incorrect values in DialogCountry.NumericCode.


Table 6: General web applications

Resolved issue

Issue ID

If a valid until date is specified for a request approval, the current time is used. The request is therefore not valid until the end of the given day.


An employee can request membership in a specific business role.


Incorrect where clauses are generated while index searching in many-to-many tables.


Wrong display names for DialogSchedule.LastRun and DialogSchedule.NextRun in the Schedule Editor.


Unsubscribed assignment requests are shown in the request history, although the option Canceled or denied or dismissed is not set.


A request for a default service item New Active Directory security group cannot be approved.


If an attestation request has been answered and saved, the dialog window remains open.


Mandatory fields for attestation cases are not checked when queried.


Although the option Display file content in browser whenever possible is set to False for downloading a file, the file content is still shown in the browser.


Mapped functions in Web Designer are ignored if a parameter is defined.


If a pending request is exported and an approval decision about this pending request is made, an error occurs.


The Windows performance monitor does not show a value in the Web Portal performance indicator.


In Chrome, you cannot browse through Hyper View pages in the Web Portal.

Single shapes of a Hyper View can only be moved by clicking the header.


If you edit a report subscription, the changes are not shown immediately in the report's detailed view.


Some time data is only shown in English in the Web Portal.


The filter settings for date columns are only available in English in the Web Portal.


When a report is exported, the default template and not the custom template is used.


In the Web Portal's configuration file (web.config), the URL /AE.axd is still declared.

The handler AE.axd for session information has been removed from the Web Portal's configuration file (web.config). Therefore, the handler is not included when Web Portal is installed. Any existing Web Portal installations are not affected by this change.

NOTE: If you still require the handler and want to include it again, enter the following lines in the Web Portal's configuration file (web.config):

In the section system.web\httpHandlers:

<add verb="GET" path="AE.axd" type="VI.WebRuntime.Communication.ControllerRequestHandler, VI.WebRuntime" />

In the section system.webServer\httpHandlers:

<add name="AE.axd_GET" path="AE.axd" verb="GET" type="VI.WebRuntime.Communication.ControllerRequestHandler, VI.WebRuntime" />

31299, 31302

Table 7: Target system connection

Resolved issue

Issue ID

Calculation of properties required for creating QueryByExamples objects does not recognize properties that are only loaded for matching by virtual ReadOnly properties.


In Manager, changes to the value of IT operating data cannot be saved.

30295, 30746

Files in the synchronization user's temporary directory are not deleted.


Error reading data from columns with data type varbinary if these are used as a primary key or part of one.


Error loading synchronization projects.


Provisioning tasks for group memberships are grouped under the wrong GenprocID.


A maximum of 1024 modified memberships per group can be provisioned.


Too many columns are loaded for resolving a reference.


Running a clean up of the DPRMembershipAction table deletes entries that are still required.


Synchronization deletes One Identity Manager database objects that are not unique in the target system.


Processing of target system specific tasks in the DBQueue is blocked if this target system is being synchronized at the same time.


Objects that are added and provisioned in the One Identity Manager database while synchronization is running are duplicated in the database.


Updating the schema or transporting a synchronization project removes the quota definition.


The variable set loads too late when synchronization starts.


The Active Directory connector returns empty elements for empty multi-value property columns.


Incorrect handling of trusted domains in Active Directory synchronization projects. The project template has been corrected.

A patch with the patch ID VPR#30192 is available for synchronization projects.


Active Directory group memberships are not provisioned if the object SID for the user account is missing.


Error processing unresolvable keys during Active Directory synchronization. 30552

Deleted values in the columns HomeDirectory and ProfilePath in Active Directory user accounts cannot be provisioned.


Error calculating Active Directory group memberships if the user account's primary group has been changed.


Error synchronizing the Active Directory user account schema properties ObjectKeyManager and Secretary. Synchronization quits although the option Continue on error is set.


Timeout during synchronization of Azure Active Directory group memberships.


If a Microsoft Exchange address list is marked as outstanding, the associated address book entries are not marked as outstanding.


Error deleting outstanding Microsoft Exchange address book entries.


If a Microsoft Exchange mailbox database is marked as outstanding, its server assignments are not marked as outstanding.


Error provisioning deleted Microsoft Exchange mailboxes if deferred deletion is configured.


Loading Microsoft Exchange data availability groups fails if all the servers involved are shut down.


Error provisioning Exchange Online mailboxes.

A patch with the patch ID VPR#31269 is available for synchronization projects.


The canonical name of LDAP objects are not formed automatically if the synchronization type is changed from No synchronization to One Identity Manager.


Error setting up synchronization with IBM Notes if the connection to the Domino server is tested.


Synchronization quits if the FullName of a Notes document cannot be loaded.


The person document of a new Notes user account does not appear in the address book's default view.


Error renaming a Notes user account if an organization unit is assigned to it.


Flag Behavior inconsistent when handling SAPComPhone.PhoneType.


The Synchronization Editor provides incorrect data for managers of organizational units from SAP HCM systems.


Error loading SAP user accounts if the user account identifier contains quotes.


When adding SAP user account with parameters, email addresses, telephone and fax numbers, distinguished names (such as SAPComPhone.DistinguishedName) are not formatted.


Too many post-processing tasks are sent to the DBQueue if changes are made to SAP user accounts.


The Insert event is not triggered for tasks in the HelperSAPUserInSAPRole table.


SAP role assignments to SAP user accounts are provisioned, although the associated categories do not match.


If several changes are made to an employee's central password in quick succession, by the Password Capture Agent for example, only the first change is made to the SAP user accounts.


Company assignment of SAP user accounts is not provisioned in the target system.

A patch with the patch ID VPR#30453 is available for synchronization projects


Error synchronizing company data (table Company).


Error loading single objects for schema types that are provided by a schema extension file.

30653, 30701

Executable SAP transactions are not calculated correctly for SAP user accounts.


Error calculating role assignments (table SAPUserInSAPRole).

30797, 31149

Wrong templates for columns  SAPComPhone.PhoneNumber and SAPComFax.FaxNumber.


Error loading SAP user account if the name begins with a space character.


During the calculation of SAP role assignments, those with ValidFrom="1900-01-01" and ValidTo<>"9999-12-31" are ignored.


Error converting Json data with the data type Integer or Float.


Error deleting group memberships with the SCIM connector.


Cloud application group memberships are incorrectly resolved if the schema property members~type does not contain a value.


The connectors Microsoft Exchange, Exchange Online and Windows PowerShell only use one revision counter even if several schema properties per schema type are flagged as revision counters.

In synchronization projects that use the Windows PowerShell Connector, the target system schema must be reloaded to use more revision counters.

In synchronization projects for Microsoft Exchange and Exchange Online, a patch with the patch ID VPR#31026 is provided.


An Out-Of-Memory exception occurs while determining managers for email users and email contacts in large Exchange Online systems.


The native database connector does not delete group memberships in the target system if provisioning is carried out by an application server.


During synchronization of the native database connector, objects are marked as changed although they have not been changed.


In the process of adding a new Windows PowerShell connection, the consistency check does not notice if a schema class does not have a unique key.


If changes are made to group properties, too many post-processing tasks are queued in the DBQueue.


Post-processing tasks for outstanding objects that have been deferred, are not executed.


Table 8: Identity and Access Governance

Resolved issue

Issue ID

Attestations are discontinued with the reason "No approver available" even though an approver is available.


If an approval workflow is waiting for external approval and the approval step EX is reached for a different attestation object, the external approval process is restarted for all pending objects.


Under certain circumstances, the Customizer method CreateAttestations blocks DBQueue processing.

31016, 31370

Error deleting attestation cases.


Disabling attestation policies does not delete the associated attestation cases.


In email notifications to attestors, the pictures defined in custom mail templates are not shown.


Service items cannot be added as products in the IT Shop if their identifier is longer than 128 characters.


In the approval sequence, the time is shown as UTC time.


Membership in a role cannot be delegated if the recipient of the delegation is already a member of this role.

30549, 30795

If a company resource is assigned by a limited period request and an unlimited period request at the same time and the limit period request expires, the company resource is removed although a valid, unlimited request still exists. 30697

The column templates ShoppingCartItem.ObjectKeyAssignment, DisplayObjectKeyAssignment and PersonWantsOrg.DisplayObjectKeyAssignment cannot be overwritten.


Manager freezes when an approval workflow is copied.


Initial login data is sent to the wrong employee when user accounts are requested in the IT Shop.


Closed requests are not deleted, although the retention period must have expired.


Incorrect testing of whether a company resource has already been assigned if the option Only for use in IT Shop is set.


If an exception has been granted for a product with a rule violation in the approval process, the rule violation remains after the product has been canceled and the assignment removed.


Ad-hoc rule checking does not create processing tasks for recalculating rule violations and for calculating the affected employee group. This means the affect employees may not be calculated correctly.


If a disabled compliance rule is deleted, the associated rule violation is not deleted.


Calculating rule violations also calculates disabled rules.


Error calculating compliance after updating the One Identity Manager database if only modules that are not dependent on the Compliance Rules Module are selected.


The process CPL_PersonInNonCompliance_Assign_MitigatingControls is assigned to the wrong server function.


Error assigning an object from a custom table to a system role.


As from version 7.1.2, company resource assignments of child system roles are not mapped in the table EsetHasEntitlement. However, by updating the One Identity Manager database to version 7.1.2 or later, assignments to child system roles are not removed from the table EsetHasEntitlement.


Missing risk indexes for system roles.


In Manager, the Change security question task can also be displayed even though the logged in user does not have the required permissions.


In the Show Entitlements Origin report, SAP roles and BI analysis authorizations that are inherited through system roles are missing.


See also:

Known issues

The following is a list of issues known to exist at the time of release of One Identity Manager.

Table 9: General known issues
Known Issue Issue ID

If you connect to a database with the Database Compiler, the task QBM-K-CommonWaitForCompiler is immediately queued in the DBQueue. If the Database Compiler ends without compiling the database, the task remains in the DBQueue.

23049, 24713

Error in the Report Editor if columns are used that are defined in the Report Editor as keywords.

Workaround: Create the data query as an SQL query and use aliases for the affected columns.


Error message in the Web Designer query window: Access to the path ... is denied.

This error occurs if the user the web application process runs under, does not have write permissions for the given folder.


Errors may occur if the Web Installer is started in several instances at the same time.


Header text in reports saved as CSV are not given their correct names.


Read Only type tables with Common Table Expressions (CTE) in the ViewAddOn are not added in the schema.

In One Identity Manager 7.0, behavior has been modified if you use common table expressions with the keyword with as a condition for view definitions in read-only tables. The conditions for view definitions are embedded in a summary query. This means, you cannot be sure that a common table expression is the very first expression in a query.

Possible error message:

(execute slot single)50000 0 re-throw in Procedure QBM_ZViewBuildR, Line 1050000 0 re-throw in Procedure QBM_PViewBuildR_intern, Line 10250000 0 re-throw in Procedure QBM_PViewBuildR_intern, Line 8250000 0 re-throw in Procedure QBM_PViewBuild_FromAddOn, Line 6550000 0 re-throw in Procedure QBM_PSQLCreate, Line 26156 0 detected in (...) Procedure ..., Line 6156 0 Incorrect syntax near the keyword 'with'

Recommended action:

Check custom view definitions.

  1. Create a view under common table expression usage.


    create view CCC_Vxy as

    with a (col1, col2) as (

    select 1 as col1, 2 as col2


    select * from a


  2. Use the view in the additional view definition (QBMViewAddon) of the read-only table.

    select * from CCC_Vxy


Number of parameter pairs ParamName/ParamValue in the MailComponent's process task SendRichMail is not always sufficient.

10 parameter pairs are available by default. If this number is not sufficient, you can add additional custom process parameters, which Process Editor can then use as parameters. This function is available as from One Identity Manager version 7.0.


In certain circumstances, objects can be in an inconsistent state after simulation in the Manager. If an object is changed or saved during simulation and the simulation is finished, the object remains in the final simulated state. It may not be possible to save other modifications to this object instance.

Solution: Reload the object after completing simulation.


Invalid module combinations can be selected in the Configuration Wizard. This causes errors at the start of the schema installation. This problem only occurs if the Configuration Wizard is started directly. Always use autorun.exe for installing One Identity Manager components. This ensures that you do not select any invalid modules.


Schema extensions on a database view of type View (for example Department) with a foreign key relation to a base table column (for example BaseTree) or a database view of type View are not permitted.


Error connecting through an application server if the certificate's private key, used by the VI.DB to try and encrypt its session data, cannot be exported and the private key is therefore not available to the VI.DB.

Solution: Mark the private key as exportable if exporting or importing the certificate.


If a One Identity Manager database is operating in a cluster, the database is restored from a backup after a cluster failover. A new database ID is created in the process. This step cannot be missed out anymore otherwise the database cannot be compiled.


The One Identity Manager Service only logs messages in the event log Application, by default.

Cause: To add an event log with another name, you require administrator permissions on the Job server.


  1. Add the file that the One Identity Manager Service should write to manually on the Job server. You can use Windows PowerShell, for example, to do this.

    1. Run Windows PowerShell as administrator on the Job server.

    2. Run the following CmdLet:

      New-EventLog -Source "Foobar" -LogName "<file name>"

  2. Enter this file name in the One Identity Manager Service's configuration file as the name for the event log in the module Logwriter .

  3. Restart the computer.

  4. Restart the One Identity Manager Service.


The configuration parameter QER | ITShop | LimitOfNodeCheck specifies how many product nodes are deleted in one DBQueue Processor run if large numbers of products in the IT Shop are deleted through automatic processes. By default, 500 objects are processed in one run. Set the value lower if there are performance problems while executing the task QER-K-OrgAutoChild.


Outstanding objects are ignored by inheritance calculation. This means, all memberships and assignments stay there until the outstanding objects have been processed.

Run target system synchronization to do this.


Table 10: General web applications
Known Issue Issue ID

The error message This access control list is not in canonical form and therefore cannot be modified sometime occurs when installing the Web Portal with the Web Installer. The error occurs frequently after a Windows 10 Anniversary Update.

Solution: Change the permissions for the users on the web application's parent folder (by default C:\inetpub\wwwroot) and apply the changes. Then revoke the changes again.


Target system synchronization does not show any information in the Manager web application.

Workaround: Use Manager to run the target system synchronization.


It is not possible to log out of the Web Portal using OAuth 2.0/OpenID Connect because it is rerouted to a false address.

Cause: If, in the configuration parameter QER | Person | OAuthAuthenticator | LogoutEndpoint, a URL without a parameter is given, the logout parameters are appended to the URL in the configuration parameter in a format incompatible with the browser.

Solution: Add a dummy parameter to the URL in the configuration parameter, for example, instead of http://localhost/IdentityManager/logout use the value http://localhost/IdentityManager/logout?from=logout.

Table 11: Target system connection
Known Issue Issue ID

Automatic employee assignment for Notes user accounts does not work.

Cause: DialogObject.ObjectName on NDOUser has been renamed from NotesUser to NDOUser.

Solution: Test the existing search criteria for employee assignment (table column NDODomain.AccountToPersonMatchingRule) and replace NotesUser with NDOUser.

An error may occur when synchronizing a target system and provisioning object modification if the synchronization project was created with One Identity Manager 7.0 and no hotfixes were installed.

Example of an error message:

[2134002] Error executing an adhoc projection!

[1777239] The mapping rule (Members by SID) was unable to execute the projection between system objects (<group cn>) and (<group dn>) successfully!

Solution: Delete the synchronization project and recreate it. Restore your customizations.


Memory leaks occur with Windows PowerShell connections, which use Import-PSSession internally.


After synchronizing an SAP R/3 environment, assignments of single role to SAP user accounts are labeled as outstanding.

This problem can occur if:

  • SAP role assignments to user accounts were loaded in the One Identity Manager database before installing One Identity Manager 7.0.1
  • Single role assignments, which are included in collective roles, were mapped as direct assignments (Error ID 3218196)

By resolving this problem in One Identity Manager 7.0.1, incorrect assignments are labeled as outstanding after synchronizing again using the appropriate synchronization configuration.

Solution: Delete outstanding assignments in One Identity Manager target system synchronization.


By default, the building block HR_ENTRY_DATE of an SAP HCM system cannot be called remotely.

Solution: Make it possible to access the building block HR_ENTRY_DATE remotely in your SAP HCM system. Create a mapping for the schema property EntryDate in the Synchronization Editor.


Any existing secondary SIP addresses are converted into primary email addresses when Microsoft Exchange mailboxes are added, providing that no primary SIP addresses were stored up to now.


The SAP connector does not provide a schema property to establish whether a user has a productive password in SAP R/3.

If this information is meant to be in One Identity Manager, extend the schema and the synchronization configuration.

  • Add a custom column to the table SAPUser.
  • Extend the SAP schema in the synchronization project by a new schema type that supplies the required information.
  • Modify the synchronization configuration as required.


No passwords can be provisioned when the bind method Fast Bind is in use in Active Directory. The method SetPassword is therefore not available.

The process step AdhocProjection fails with the message:

[System.Runtime.InteropServices.COMException] Unknown name. (Exception from HRESULT: 0x80020006 (DISP_E_UNKNOWNNAME))).


Synchronization projects for SAP R/3 that were imported by a transport into a One Identity Manager database, cannot be opened. The problem only occurs if an SAP R/3 synchronization project was not added in the target database before importing the transport package.

Solution: Create and save at least one SAP R/3 synchronization project before you import SAP R/3 synchronization projects into this database with the Database Transporter.


To use automatic employee assignment for central user administration (CUA) user accounts, assign an account definition to the CUA central system. Account definitions cannot be used to assign user accounts to child systems.


If an Active Directory user account has the property MailNickName, an error occurs when the mailbox is enabled.

[System.Management.Automation.ActionPreferenceStopException] The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: ExternalEmailAddress is mandatory on MailUser.

Cause: The property MailNickName is mapped in addition in the Active Directory mapping. This causes inconsistencies in the target system from the point the user accounts are added.

A user account of this kind appears in the Microsoft Exchange console as a mail user but without a target email address. An attempt to open this object causes an object corrupted error in Microsoft Exchange.

Solution: Clear up inconsistencies in the affected user accounts in Active Directory and correct your Active Directory mapping.


Error synchronizing an OpenDJ system if a password begins with an open curly bracket.

Cause: The LDAP server interprets a generated password of the form {<abc>}<def> as a hash value. However, the LDAP server does not allow hashed passwords to be passed.

Solution: The LDAP server can be configured so that a hashed password of the form {<algorithm>}hash can be passed.

  • On the LDAP server: Allow already hashed passwords to be passed.

  • In the synchronization project: Only pass hashed passwords. Use the script properties for mapping schema properties that contain passwords. Create the password's hash value in the script.


If there are a large number of LDAP user accounts and LDAP groups in the database, provisioning might take a very long time. A message appears in the StdIO processor log(StdioProcessor.log) during the LDAP user account and LDAP groups update.

DEBUG (SystemObjectData <static>) : Creating SystemObjectData based on entity (%DisplayName% (%cn%)) columns (UID_LDAPAccount, UID_LDAPContainer, UID_LDPDomain, XObjectKey).

TRACE (SchemaElement static) : %DisplayName% (%cn%)@LDAPAccount[].GetValue(vrtScopeParentReference) returns ...

TRACE (SchemaElement static) : %DisplayName% (%cn%)@LDAPAccount[].GetValue(UID_LDAPContainer) returns ...

Cause: No reference scope is defined so that the default scope is used for resolving references. This causes too much data to be loaded from the database.

Solution: Define an empty reference scope. This means that scopes are not calculated when references are resolved, which noticeably improves performance with larger amounts of data.


Inconsistencies in SharePoint can cause errors by simply accessing a property. The error also appears if the affected schema properties mapping is disabled.

Cause: The SharePoint connector loads all object properties into cache by default.


  • Correct the error in the target system.

    (missing or bad snippet)
  • Disable the cache in the file VI.Projector.SharePoint.<Version>.Host.exe.config.


Table 12: Third party contributions
Known Issue Issue ID

An error can occur during synchronization of SharePoint websites under SharePoint 2010. The method SPWeb.FirstUniqueRoleDefinitionWeb() triggers a ArgumentException. For more information, see


Installing the One Identity Manager Service with the Server Installer on a Windows Server does not work if the setting File and Printer sharing is not set on the server. This option is not set on domain controllers on the grounds of security.


Web applications under .Net 4.x on IIS are generally not stable if Microsoft Application Performance Monitoring is running on the same system.

This problem is documented by Microsoft. For more information, see


Memberships in Active Directory groups of type Universal in a subdomain are not removed from the target system if one of the following Windows updates is installed:

  • Windows Server 2016 : KB4462928

  • Windows Server 2012 R2 : KB4462926, KB4462921

  • Windows Server 2008 R2 : KB4462926

We do not know whether other Windows updates also cause this error.

The Active Directory connector corrects this behavior with a workaround by updating the membership list. This workaround may deteriorate the performance of Active Directory groups during provisioning and will be removed in future once One Identity Manager has resolved the problem.Microsoft


Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents