When we Disable a users AD account and move them to a Disabled OU using AC_NewParent on the Disable Profile, do we need to run an AD aggregation to see those changes? It seems IDN does not update the DN when performing the move operation.
Hi @ethompson
OU is part of DN and this attribute is account id on identityNow this value can’t be simple updated. Aggregation on AD works reading account in every OU and if a new account exist exist in the OU then the account is created but if an account doesn’t exist anymore on AD then the account will be deleted. For these two reasons account can’t be simple updated on IdentityNow.
@ethompson Yes you’ll need to aggregate the AD source to pick up the change in parent OU. Also, make sure that the OU you’re moving the account to as part of the disable operation, is within the account search scope on the config page of the source. Otherwise IDN will lose sight of the account when you aggregate the source.
So this is a bit of an issue where any role syncs end up creating a new account for these users if there’s no aggregations that happen before the role sync kicks off.
Single object aggregations also break as a result.
Is there a more graceful way of handling this? One would have thought that using the AC_NewParent attribute would suffice to update IDN internally as well without having to re-run a full source aggregation…
Using the UPN as account ID can help work around this issue but is in conflict with SailPoint’s advice of not changing it from distinguishedName.