How does AD know whether the account belongs to an SA account or a regular account when we submit a request?
Is there a setting in AD that needs to be configured?
Thanks in advance
Hi @rishavghoshacc, actually AD doesn’t “know” anything about SA vs regular accounts, and there’s no special AD flag or setting for that…
But in IIQ you can do this tagging, and if you want, push that back to the AD you can do…
These screenshots are an example from the account mapping (for the tagging).
Please don’t hesitate to let me know if you still need any further clarifications or in case you have a specific scenario.
Hi @rishavghoshacc.,
We need to distinguish between these accounts based on .
Naming Convention (sAMAccountName or CN) - *it’s industry best practice
Organizations typically use prefixes, such as svc-, for service accounts to easily identify them.
Distinguished Name (DN)
Accounts can also be distinguished based on their location in the directory structure, which is reflected in the DN. For example, accounts in OU=Service Accounts,DC=domain,DC=com vs OU=Users,DC=domain,DC=com.
Description Field
As a best practice, the Description field should contain information regarding the purpose of the service account.
AD admin should follow these industry best practice when they create the service accounts, which will be the key information for the IAM systems.
if the service account created/managed by IAM system then we need to follow above mentioned best practice to distinguish them clearly with normal/regular account.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.