AD OU movement for Disable and Re-hire

shikhadeliveroo · January 28, 2026, 7:18am

I am having a requirement to move AD account to Disabled OU when identity is inactive. And move it back to normal user OU when Rehire.

Can someone help me with the steps i need to follow for this implementation.

schattopadhy · January 28, 2026, 7:56am

@shikhadeliveroo you can use disable and enable provisioning policy

{
“name”: “disable Account”,
“description”: “string”,
“usageType”: “DISABLE”,
“fields”: [
{
“name”: “AC_NewParent”,
“transform”: {
“attributes”: {
“value”: “OU=disabled,DC=domain,DC=com”
},
“type”: “static”
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
}
]
}

baoussounda · January 28, 2026, 8:47am

I can recommend you to use sailpoint service standard before provisioning rule as mentionned here : Services Standard Before Provisioning Rule - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

You should make request to your PS or Sailpoint support to deploy this rule in your tenant. Once D$deployed you can easlily configure the AD OU movement directly in your AD source configuration.

JackSparrow · January 28, 2026, 11:31am

Hello @shikhadeliveroo ,

You have two options to achieve this.

Using BeforeProvisioning Rule
As per https://community.sailpoint.com/t5/IdentityNow-Wiki/Best-Practices-Active-Directory-Account-Moves/ta-p/189661 SailPoint is recommending using BP rule. Deploying BP rule have dependency with support team as its a cloud rule.
Using transforms in provisioning policies
SailPoint is not recommending to use this approach as it will create stranded account activity (which I would not care as it will not create any technical problem). This approach doesn’t have any dependency. We are using this approach in our project.

For Option 1, you can take a look on the doc that I have shared where you will find sample BP rule or you can refer @baoussounda suggestion

For Option 2, you can create disable and enable type provisioning policies and apply the transform that @schattopadhy mentioned. You can use VS code for this. I have attached an example for your reference

shikhadeliveroo · January 29, 2026, 7:23am

Is it supposed to work by updating DISABLE and ENABLE Provisioning policy only? It is not working for me

baoussounda · January 29, 2026, 7:55am

You can use Before provisioning as I describe above, because others policies rather than Create Account Policy generally not work as expected.

iamnithesh · January 29, 2026, 9:21pm

Is the account being disabled and enabled with LCS changes?

sanatar · January 29, 2026, 11:44pm

We configure the Active Directory connector’s provisioning usage types so that during a Disable operation SailPoint sets the AC_NewParent attribute to the Disabled OU DN, and during an Enable operation it sets AC_NewParent to the normal Users OU DN. Since lifecycle events already drive Disable and Enable actions, this ensures accounts are moved to the Disabled OU on termination and moved back to the standard OU on rehire

Topic		Replies	Views
Move AD Account that's already disabled to different OU ISC Discussion and Questions	7	1538	July 19, 2023
Account not disabled after user moved in AD ISC Discussion and Questions identity-security-cloud	15	331	May 3, 2025
How we can move the OU OF AD from OU=Users to OU=DISABLE at life cycle state Terminated in sailpoint isc ISC Discussion and Questions identity-security-cloud	11	242	June 3, 2025
HTTP Request to move Disabled User to Different OU ISC Discussion and Questions workflows , identity-security-cloud , provisioning	4	320	July 20, 2024
Active Directory OU Movement from Disable OU to Original OU ISC Discussion and Questions identity-security-cloud	5	782	April 29, 2024

AD OU movement for Disable and Re-hire

Related topics