What is the best practice for choosing the Active Directory Account ID and Account Name, and where is that documented? Are there other good alternatives?
We have a new request from a client that is challenging to meet with our current Active Directory configuration in IdentityNow. The client has been moving their users in OUs manually as they change jobs. They wish to automate that and key it off of Role changes. Roles have no link to the provisioning policies, but we think we might get it to work with an AfterModify Connector rule that looks to the same identity attributes as the role membership matrix. I believe we would pass the AC_NewParent to the provisioning plan to make the change to the user’s OU.
We are concerned with what happens if a user is moved manually by an administrator. I did a manual test move of a user from one OU to another using Windows ADUC. On the account aggregation or refresh we got an error that the account could not be found. We have the DistinguishedName set as the Account ID. The Account Name is set for the sAMAccountName attribute. I think we had these set differently but SailPoint recommended the DistinguishedName for the Account ID.