AD before provisioning rule

I’ve written before provisioning rule for AD disablement. I’ve seen AD account request is setting AC_Newparent and also AD team confirmed user moved to disable OU. But in IDN AD account DN is showing in active OU only instead of disable OU. I’ve ran AD optimized aggregation, but nothing changed

Any suggestion, how this can be addressed.

My first thought would be to double check the aggregation. Are you sure it ran successfully and completely? If the AD account moved from one OU to another, IDN should recognize that during the aggregation and it should be reflected on the account in IDN.

I did couple of users and see the account disabled after aggregation. Without aggregation can’t we handle this. No automatic single aggregation happens for this purpose in IDN. One more thing, currently during disable we need to remove all groups from the AD account (role based groups and birthright groups). We are trying to set member of attribute request set during disable operation directly. Will this work or do we need account operation as modify to remove the groups

No, there is no automatic targeted aggregation.

I’m not sure I understand your question fully, but if you need to remove all groups when disabling an AD account, you’ll need to use a BeforeProvisioning rule. In that rule you can add an AttributeRequest to the ProvisioningPlan to set the memberOf attribute value to the DN of the Domain Users group in the domain. That will effectively remove all group memberships. Further, you can add an AttributeRequest to the plan even when the AccountRequest.Operation is Disable. You don’t have to change the operation specifically to Modify.

1 Like

This is the answer I’m expecting it. I’ve written a before provisioning rule, but in one of the blog I’ve seen like account request to convert as modify operation to remove groups. Now I’m clear that with disable operation we can able to remove setting member of attribute request → then account request–> plan