AD display name in entitlements, DN vs CN/sAMAccountName?

Hi, I have default AD connector installed in one cliente. I am seeing discrepancies in entitlement list Name column. Most of them appeared as DN, and only a few as the sAMAccountName.

I altered schema, only for testing purposes, changing sAMAccountName by cn attribute:

I aggregated and now I can see only the CN value in the name column (that was expected). But still some shows DN instead.

This is some bug? As cn is mandatory in groups, all must have this attribute fulfilled.

Hi @jsosa,

Assuming you have done the entitlement aggregation, have you checked if the groups with incorrect display names actually exist in AD.? or are moved to a different OU that is outside your group search scope

I have seen cases where the AD groups are deleted from AD but they exist in the IDN source.

If that is the case, can you try doing a source entitlement reset (use the below API) and aggregate again


Hi Jesvin! Yes, groups exists and service account is domain admin. I actually had a worst scenario, where most groups appeared with DN in the name column. Then I run the private api call you mentioned, performed a new aggregation and now “most” groups appears right (with cn in the name column), but still some random groups appear with their DN, instead of showing the CN.

Since you said that you have validated the data on the AD Source directly and it is correct. Can you check the aggregation configuration for the AD Source in IdentityNow?


Hi Rajesh! It was OOTB. I changed the display name attribute via API, and put cn instead of sAMAccountName, although in AD groups, both attributes have the same value.