User with invalid manager gets blocked permanently

Jake Vosloo 6 years ago in UNIFYBroker/Frontier ichris/chris21 updated by anonymous 5 years ago 3

It seems that the IDB Lite and IDaaS system fail to handle the following scenario:

  1. Create a new account in chris21 and make the account’s manager someone who do not and will not exist in AD.
  2. Let it sync and create the user, when it attempts to update the user’s manager, it fails with the error that the manager could not be found.
  3. Now change the account’s manager (mgrdetnumber) to someone who do exist in AD.
  4. The system will continue to resolve the previous manager and will permanently fail to update this user.

Workaround: Run a baseline operation against AD, this is a bad workaround because baselines can usually only be run over weekends.

Affected Versions:
Fixed by Version:



Not an issue in Identity Broker Plus.

Under review

Hi Jake,

This doesn't sound like a valid case as the manager must exist in AD for LITE. As it's not valid scenario the workaround of running a baseline doesn't seem that problematic.

If it is something that is going to come up often, what is the exception that occurs in step 4? What are the details at that point, i.e. what are the values of $in['mgrdetnumber'] and $managerEntity.GetValueEntry('dn'), along with the connector and adapter values. Could this just be a timing issue, where the sync has run again before you got the new manager imported into the connector? This could easily be worked around with a try/catch around the manager retrieval logic in the script.


This might also be related to the issue where Azure SQL fail when overloaded as discussed here:


I will update when further tests are done.


Not an issue in Identity Broker Plus.