Generate unique sAMAccountName even after deletion in AD

sjoyee · November 2, 2023, 6:43am

Hi all, we have a requirement where the old sAMAccountName should not be used again even after the deletion of this old account in the AD system itself.

Basically we are having similar use case as discussed in the post below, but one issue is that we do not have the sAMAccountName stored in the HR source.

For example,
User A: dummyuser
User B: dummyuser1
User C: dummyuser2

So, before User D is onboarded, User B is offboarded and disabled in IDN, and will be deleted in the AD target system after 30 days.

After 30 days, User D is onboarded. Instead of having the sAMAccountName “dummyuser1”, it should be “dummyuser3” instead.

We were thinking of updating the identity attribute for each user to store the sAMAccountName used when the account is disabled. So, we can check the sAMAccountName for all the deleted users and refrain from provisioning the old ID. However, we are not sure on the feasibility of this to work on IDN.

Appreciate any input on this. Thank you!

MVKR7T · November 2, 2023, 9:00am

If you are not going to delete identity then

Create an Identity attribute for SamAccountName, make it searchable, create first valid Transform for it.

If user has AD account, pull samAccountName from AD account
If not, pull samAccountName from identity attribute

In this way, it holds SamAccountName even after AD account got deleted.

Create an Account Profile Attribute Generator Rule with countIdentitiesBySearchableIdentityAttribute method.

Generate SamaccountName with whatever format you need, check for uniqueness using the mentioned method and increment accordingly.

mcheek · November 2, 2023, 12:08pm

We have a separate Delimited File (csv) source set up specifically to serve as an answer to the question “what are all the samaccountnames we have ever used?”, mainly because we don’t have identity records for every single account that’s ever existed.

In the create profile, we have a generator rule for samaccountname that checks against both AD and the CSV source for uniqueness, and increments the number after the samaccountname until it finds a unique one in both sources.

sjoyee · November 2, 2023, 11:58pm

Hi Krishna,

Thank you for the input!

To give an example for clearer understanding on what you are proposing,
Identity attribute: adid

Using the first valid operation on the attribute “adid”:

Read the account attribute sAMAccountName from the account source
Read the identity attribute itself “adid”

So, let’s say if the AD account got deleted, and was removed in IDN after aggregation, the transform script will help to read the second valid value, which is the identity attribute itself?

If I understand wrongly, can you assist to further clarify the statement “If not, pull samAccountName from identity attribute”, thank you very much!

sjoyee · November 3, 2023, 12:05am

Hi Mark, thanks for the input!

Can I know how do you read the sAMAccountName generated from the AD? Or is this CSV generated separately out of IDN and uploaded manually afterwards?

mcheek · November 3, 2023, 2:16am

We used a combination of the current samaccountnames in AD and combined it with records we had in a personnel database that went back further. Then uploaded that file for the source. In order to keep it up to date, we use the API to add the newly generated samaccountname to the csv source.

MVKR7T · November 3, 2023, 8:53am

This is what I meant.

{
  "attributes": {
    "values": [
      {
        "attributes": {
          "sourceName": "Active Directory",
          "attributeName": "sAMAccountName"
        },
        "type": "accountAttribute"
      },
      {
        "attributes": {
          "attributeName": "adid"
        },
        "type": "identityAttribute"
      },
      {
        "attributes": {
          "value": "none"
        },
        "type": "static"
      }
    ]
  },
  "type": "firstValid",
  "name": "SamAccountName First Valid Transform"
}

If you delete inactive identity after sometime then you need to follow what @mcheek has suggested with CSV approach.

ts_fpatterson · December 5, 2023, 12:05pm

If your HR source is scoped to not aggregate accounts after a certain amount of time, it will delete the Identity. So it is possible for prior login IDs to be used if the IDN Identity is removed.

There is a parameter that can be set on the source that will not delete the Identity.

system · February 3, 2024, 12:05pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Generating unique ID value to IDN ISC Discussion and Questions identity-security-cloud , provisioning	2	589	September 26, 2023
AD sAMAccountName Generator Rule ISC Discussion and Questions rules , identity-security-cloud , provisioning	7	116	November 1, 2024
Generate unique samaccountname for AD source ISC Discussion and Questions	2	1887	July 19, 2023
Custom Logic to generate sAMAccountName ISC Discussion and Questions rules , identity-security-cloud , sources	7	858	July 19, 2023
Active Directory Unique samAccountName ISC Discussion and Questions identity-security-cloud , provisioning	2	317	February 19, 2024

Generate unique sAMAccountName even after deletion in AD

Related topics