In my company, our AD OU structure is designed OU=Region,OU=Country,OU=Location; so, as you could imagine, it’s not uncommon for folks to move locations, thus changing their DN. This has caused some issues with provisioning/deprovisioning of AD groups, specifically that IDN tries to add entitlements via the old DN and it either fails or, worst case, continually re-adds even after we revoke.
Wanted to check with the wider community if anyone has changed the Account ID on an Active Directory source from using the Distinguished Name to another attribute (i.e. samAccountName). How did it go? Any roadbumps we should be aware of? Any full-stop blockers?
Thank you for the links! Voted on the Idea as it definitely falls into the situation we’re looking at. Object GUID or SID is a much better idea than falling back on samAccountName.
Maybe this is something to do with the new Source view, but it looks to allow an Admin to update the Account Schema on the source, so, we could in theory change it to whatever we would need it to be. The pitfalls described in your screenshot would be what we would be wanting to know before attempting.
Appreciate the input, Alicia, we are following those best practices where we can! Hopefully we’ll get some update soon about enhancements.
