I know that Sailpoint recommend using the DN for account ID in the Active Directory schema, I would like to know the downside to using the GUID instead (or sAMAcccount).
The reason I ask is that our client has the situation where the DN will change regularly for large number of users (+50,000), moving in and out of a transitional OU. The AD account is to be provisioned as a birthright via LCS, and I fear that it will become uncorrelated during the move (and the full aggregations), thus causing 1000âs duplicate accounts to be created.
We are using DN as Account ID and we do move accounts from one OU to another. We didnât face any duplicate issue.
I donât think there will be a problem in changing the Account ID attribute though SailPoint recommends to not to change, technically shouldnât be a problem.
I am not clear on the the downsides of using GUID instead of DN as this is something I didnât want to mess around with, but the AD Connector documentation states, âIf you update these attributes (Account ID = distinguishedName) from their default values, the connector may fail.â I donât know exactly what could happen or how this will fail though.
You may have already come across this article, but I figured I would add it in case you havenât seen it. It talks about how to handle OU moves and updating the DN by using Identity Attributes or the Before Provisioning Rule. If you are looking for these OU moves to be handled by IDN, these might be some solutions that can help in your case.
If the intent is to move accounts but not have IDN perform the action, it might be best to plan for them to occur before a full AD aggregation is run in IDN (or run a full aggregation after) to minimize the risk of account updates not succeeding.
Itâs just the way that SailPoint has implemented their source is what requires the Account ID to be the DN instead of GUID. Iâve mentioned this already a couple of times and weâve also seen that there is an idea on the ideas portal for this already: https://ideas.sailpoint.com/ideas/GOV-I-2129
Follow-up question. Are we able to sync the DN if we sideloaded that attribute via the API call, or would it have to be done via a BeforeProvisioningRule?
Some of the downsides of using GUID are worse UI (some areas donât use display attribute, only the unique identifier) - e.g. in some OOTB reports and UI pages.
Moreover, it can cause issues down the line if youâre doing custom development. Iâve previously encountered that certain common features will not work. An example is making a âspecial account requestâ quicklink. Implementing in the usual scalable way (pass a flag then utilize application provisioning policy to react on that flag) caused major issues in AD apps. When analyzing with SailPoint, we realized the GUID unique identifier was the root cause. Thereâs some stuff deep in the connector which only works with DN.