When trying to provision Active Directory accounts in Identity Manager, the accounts error out and are not created. The following error shows up on the screen and in the logs. Constraint Violation - Probable Cause: Duplicate account name.
In this environment users are given a base AD role and then several other AD roles that apply groups to the user. In the TEWS call, all of these roles are applied at the same time. TEWS has no way to dictate the order in which the roles are applied.
Only the primary AD role has rules about what OU the user account should go into, etc. So, when the roles are applied to the user in the wrong order what happens is the account ends up in the lost and found OU. Then, when the primary role is applied (which should put the user into a different OU) it throws the error that the user already exists.
To resolve this, send one call that applies the primary AD role, and then a second call applying all of the AD Group roles. This way, the user gets created in the correct OU and then all of the groups can be applied to the already existing account.