This article describes the most common reasons why eADM fails to create a user account in Active Directory (AD), and provides steps to identify and resolve each cause. It is intended for eADM administrators and IT partners managing on-premises AD integrations.
How to read the eADM AD export log
The eADM local client writes a detailed log for each export operation. This log is the primary diagnostic tool when a user account is not created in AD.
Log files can be downloaded via Syncronization->Status->More->Download eADM Client log. Alternatively, it is typically located in C:\eADM\ or a subfolder configured during installation. Each entry follows this pattern:
DD.MM.YYYY HH:MM:SS - [action or result message]
A successful Create operation logs each attribute being set, followed by no error line. A failed Create operation logs the attribute sequence and then terminates with an error code and message. Example of a failed creation from a known support case:
23.07.2025 14:20:41 - Creating with LDAP://DC-SERVER/cn=Maria Ustad,OU=eAdm,OU=Brukere,...
23.07.2025 14:20:41 - Setting samAccountName to value 1001ma
23.07.2025 14:20:41 - Checking if upn is unique in domain maria.ustad@orland.kommune.no
23.07.2025 14:20:41 - Setting userPrincipalName to value maria.ustad@orland.kommune.no
23.07.2025 14:20:41 - 173585349|The object already exists.
Error lines follow the format ERROR_CODE|Error message text. The error code and message together identify the cause. Note the last successful attribute line before the error — this narrows down where AD rejected the operation.
Note: If no log entries appear at all for a sync cycle, the issue may be with the eADM local client itself rather than AD. See Troubleshooting System.ServiceModel.FaultException in eADM Local Client Logs.
Common causes and resolutions
1. Duplicate object — user already exists in AD
eADM attempts to create an object at a distinguished name (DN) or with a sAMAccountName that already exists in AD. AD rejects the operation with an error such as The object already exists.
This can occur when:
-
Two employees share the same generated
sAMAccountName(e.g. both resolve to1001ma). -
A previously deleted user account was not fully removed from AD and a tombstone or recycled object remains.
-
The user was created manually in AD before eADM attempted provisioning.
-
Two users have the same date of birth, causing a collision in a date-based username generation rule.
Resolution:
-
Search AD for the
sAMAccountNameor CN shown in the log to identify the conflicting object. -
In eADM, open the affected user and check the AD Username field. If two users share the same value, correct the value for one of them via eADM configuration or by adjusting the username generation rule.
-
If a stale object exists in AD, remove it or move it out of the target OU, then trigger a new sync cycle.
Note: The sAMAccountName must be unique across the entire AD domain, not just within the target OU. Check for conflicts in other OUs if the obvious path appears clear.
2. Insufficient permissions on the service account
The service account eADM uses to connect to AD lacks the rights to create objects in the target OU, or lacks write access to one or more attributes being set during creation.
Common causes:
-
The service account does not have Create Child Objects permission on the target OU.
-
The service account lacks write permission on specific attributes such as
proxyAddresses,manager, oremployeeNumber. -
The OU structure changed after the initial delegation was configured, and the service account's permissions no longer cover the new target OU.
Resolution: Review the delegated permissions on the target OU in AD. Ensure the eADM service account has at minimum:
-
Create and delete User objects in the target OU.
-
Write access to all attributes configured in the eADM export template for that user type.
Contact the customer's AD administrator to adjust delegated permissions. Do not grant Domain Admin rights to the eADM service account.
3. Password complexity requirements not met
If eADM is configured to set a password when creating a new account, AD will reject the creation if the password does not satisfy the domain's password policy — including minimum length, complexity rules, or password history requirements.
Resolution: Review the default password configured in the eADM export template and compare it against the domain's Fine-Grained Password Policy (if applicable) or Default Domain Policy. The password set by eADM at account creation must satisfy all policy requirements.
Warning: Do not lower the AD domain password policy to match eADM. Instead, update the eADM configuration to generate or set a compliant password. Lowering the domain policy affects all accounts in the domain.
4. Invalid data or schema violation
eADM attempts to write a value to an AD attribute that the schema does not permit for that domain — for example, a value of the wrong data type, a value containing unsupported characters, or a missing mandatory attribute.
Common causes:
-
The
sAMAccountNamecontains characters not permitted by AD (e.g. spaces, slashes, or extended characters). -
A mandatory AD attribute required by a schema extension is not mapped in the eADM export template.
-
The
managerattribute references a DN that does not exist in AD, as shown byAn invalid dn syntax has been specifiedin the log. -
A numeric field in the export template is sending a string value.
Resolution: Identify the last attribute line written before the error in the log. Review the value being set for that attribute in the eADM export template and the source data from HR. Correct either the data mapping in eADM or the source value in the HR system, then trigger a new sync.
5. Network or connectivity failure to the AD agent
The eADM cloud service cannot reach the on-premises eADM local client, or the local client cannot reach the AD domain controller. In this case, no log entries are written for the affected sync cycle, or the log shows a timeout or connection error rather than an AD-specific error code.
Resolution:
-
Verify that the eADM local client service or scheduled task is running on the on-premises server.
-
Check that outbound HTTPS (port 443) is permitted from the server to the eADM cloud endpoint.
-
Verify that the server can reach the AD domain controller on the required LDAP port (389 or 636).
-
Review Windows Event Viewer on the server for connectivity or service errors.
Diagnostic checklist
|
Check |
Where to look |
|---|---|
|
Does the log show a Create attempt for the user? |
eADM local client log, |
|
What is the error code on the failed line? |
Log line in format |
|
Does an object with the same CN or |
AD Users and Computers / PowerShell |
|
Does the eADM AD Username field show a duplicate across two users? |
eADM user profile → AD Username field |
|
Does the service account have Create rights on the target OU? |
AD Delegation of Control on the target OU |
|
Is the local client running? |
Windows Task Scheduler or Services on the on-premises server |
Related articles