Best options for Active Directory Account ID and Account Name

What is the best practice for choosing the Active Directory Account ID and Account Name, and where is that documented? Are there other good alternatives?

We have a new request from a client that is challenging to meet with our current Active Directory configuration in IdentityNow. The client has been moving their users in OUs manually as they change jobs. They wish to automate that and key it off of Role changes. Roles have no link to the provisioning policies, but we think we might get it to work with an AfterModify Connector rule that looks to the same identity attributes as the role membership matrix. I believe we would pass the AC_NewParent to the provisioning plan to make the change to the user’s OU.

We are concerned with what happens if a user is moved manually by an administrator. I did a manual test move of a user from one OU to another using Windows ADUC. On the account aggregation or refresh we got an error that the account could not be found. We have the DistinguishedName set as the Account ID. The Account Name is set for the sAMAccountName attribute. I think we had these set differently but SailPoint recommended the DistinguishedName for the Account ID.

The only way to get around it at the moment is to run a full source aggregation (I don’t believe delta works for this). Unfortunately SP also recommend not to change the Account ID to anything other than the DN.