2 Active Directory Source connectors?

Hello All -

I have a use case where our admins have 2 AD accounts, one named and one for admin access. Admin AD account creation will be manual, however we want both accounts to be disabled upon termination and we do not want attributes synced to the admin accounts. It’s my understanding that attribute sync will apply to all correlated AD accounts. My idea is to setup a secondary Active Directory source, which will include the OU for the admin accounts, and exclude the OU on the primary Active Directory connector. This should allow me not to sync attributes with that connector.

Any idea if this should work or if this is a bad idea? I would like to hear how others are managing secondary admin AD accounts. Thanks!

I have done it both ways. Correlated both accounts using the same AD source or created another AD source just filtering the AD Admins. It worked fine in both scenarios. In your case since you don’t want to sync the same attributes to both accounts it sounds like a second AD source with a filter would be your best bet. I generally prefer using a second AD source for the admins for the reasons you mention and also the flexibility to have different joiner/mover/leaver flows for that AD admin source.

1 Like

Based on your requirement to only attribute sync on the main AD source, I cannot think of another way besides 2 sources.

Multiple sources for AD can lead to duplicate entitlements (may not be your case since you are not provisioning through IDNow) and can be confusing for any reporting or downstream systems that will look to IDNow. That being said, those may not be showstoppers depending on your implementation.

Two AD sources are among the most common approaches for handling elevated/admin accounts. This will also give you a path to allow for things such as requesting admin accounts/access, discrete LCM processes, separate certifications & reporting, separate attribute sync configurations, etc. As you said - just set up your search OUs in the two different sources to point at the corresponding OUs.

Thank you everyone for the replies.

We have 3 AD sources: one for regular user accounts, one for admin accounts, and one for attribute sync. We only do attribute sync for employee’s regular user accounts, and we can’t implement attribute sync in the source for regular user accounts because that source has accounts correlated to service identities, so we have the 3rd source for attribute sync where regular user accounts are only correlated to employees and the service accounts are uncorrelated.

We try not to manage multiple account types on one source for several reasons, therefore, I would recommend having a source for Primary Accounts and Admin Accounts, especially if they are not treated exactly the same (which it sounds like they aren’t). You will want to apply filters to the source configurations to only aggregate the type of account the source is managing.

Here are some notes about having multiple accounts from one source on a given Identity:

  • If a user already has one account, and you need them to have the 2nd account type, I do not believe that it will CREATE a new account, but instead automatically add what you are requesting to the existing account.
  • We’ve experienced problems with attribute sync when users have more that one account from the same source
  • You can set up Multiple Account Options on your Access Profiles, which will help if the user already has 2 accounts, it will choose the correct one based on that configuration
1 Like