How to disable old AD and enable new AD in rehire scenario

Hi developers,

Currently, I have onboarded 2 sources of Active Directory in SailPoint IDN. Each are different domains.

Some users move from AD source A to AD source B. In my current configuration, SailPoint will create a new AD account after the user moved to AD source B.

The current challenge I’m facing is at enabling/disabling the AD accounts. In the scenario above, the account in AD source A must be disabled after the user moved to AD source B.

Currently:
Account in AD source A: Remains active
Account in AD source B: Became active

Expected outcome:
Account in AD source A: Must be disabled
Account in AD source B: Become active

Additionally, I don’t have workflow feature.

Can anyone suggest how can I achieve this?

If both domain controllers are in the same network, you might want to write a AfterCreate native rule that will trigger a PowerShell script to disable the account in AD

Hi @jeev1
Greetings for day!

As suggested by @iamnithesh write after create rule and in which will trigger PowerShell script in that add below code to disable the user.

$nativeIdentity = $requestObject.NativeIdentity
$User = Get-ADUser -Server 'FQDN of AD DC' -Filter "distinguishedName -eq '$nativeIdentity'" -Properties *
$sAMAccountName = $User.sAMAccountName
Disable-ADAccount -Identity $sAMAccountName

Let me know if it is working.
Thank you!

3 Likes