AD Password Change Process - Not allow Password change for Certain account from specific OUS

Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

Please consider addressing the following when creating your topic:

• What have you tried?
• What errors did you face (share screenshots)?
• Share the details of your efforts (code / search query, workflow json etc.)?
• What is the result you are getting and what were you expecting?

Hello Everyone,

Per standard process, we have reverse password configured in Sailpoint, and this process is working fine, Password changes are picked by Domain Controller and send back to Sailpoint via Password Interceptor, and sync to downstream applications. No Issues.

The real pain is if user is having 2 AD account, For examole any user can have one normal account and another could be privileged account. so if same user(normal AD account user) is chaging the password, we don’t want to change the password for privelged account.

Any Idea how this could be done?

Do you have the personal privileged accounts in a separate AD source? If so it seems you could just exclude that source from the sync group

both normal and privileged account are on same AD source.

I would recommend as a best practice having separate AD sources for normal and privileged user accounts - not just for this use case, but for others as well such as onboarding, provisioning, and other lifecycle management functions of elevated accounts.

Thanks, Having seprate AD source will solve this puzzle, but we dont have to create seprate source. Any other potential solution?

Hi @singlde To back up what @mcheek said: 2 Sources is best practice for this (and as Mark says, many other) use cases.

Mark is correct. Why do you not want another source?