Move OU based on the LCS

gayare · April 23, 2025, 10:28pm

We have a requirement when the user is inactive (this LCS is based on cloud LCS transform). Move to disable and when you set legal hold (this LCS is set manually always), move to the legal hold OU.

Is there a way to do it using a transform?

Thanks.

vishal_kejriwal1 · April 24, 2025, 2:32am

Check out standard before provisioning rule . This rule give options to move user based on LCS or identity attribute .

suresh4iam · April 24, 2025, 11:42am

Use any account attribute to update a value during LCS change, for example the description attribute to update the account moved to LegalHold
In AD modify provisioning plan, you can use AC_NewParent to define the LitHold OU based on LCS value by referring the LCS identity attribute. Below is an example of AC_Newparent plan.

{
    "name": "AC_NewParent",
    "transform": {
        "attributes": {
            "input": {
                "attributes": {
                    "name": "cloudLifecycleState"
                },
                "type": "identityAttribute"
            },
            "table": {
                "litHold": "OU=LegalHold,OU=Terminated Users,DC=abc,DC=com",
                "default": "OU=Disabled Users,OU=Terminated Users,DC=abc,DC=com"
            }
        },
        "type": "lookup"
    },
    "attributes": {
        "cloudRequired": "true"
    },
    "isRequired": false,
    "type": "string",
    "isMultiValued": false
}

gayare · April 24, 2025, 7:37pm

I am getting the below error message when I try to move the legal hold OU. But disabling OU, it is working fine.

Failed to update attribute AC_NewParent Error - Failed to connect to the server for OU=xxxxx,OU=XXXUsers,DC=xyz,DC=com:The specified directory service attribute or value does not exist. The specified directory service attribute or value does not exist. . HRESULT:[0x8007200A]

suresh4iam · April 24, 2025, 8:32pm

Check whether the DN is valid (check the existence of each OU and the CN). You can also check other attributes which you are provisioning as part of the plan, it may violating the AD attribute contraints. Also you can check whether the service account have required permissions to perform CRUD operations on the OU.

dgandhi · April 24, 2025, 10:13pm

Can you share sample of this? We have similar kind of requirement.

vishal_kejriwal1 · April 25, 2025, 12:41am

example :

[
 {
 "op": "add",
 "path": "/connectorAttributes/cloudServicesIDNSetup",
 "value": {
 "eventConfigurations": [
 {
 "eventActions": [
 {
 "Action": "ADMoveAccount",
 "Attribute": "AC_NewParent",
 "Value": "OU=Disabled,OU=Users,OU=pa-rshwarts,OU=training,DC=testing,DC=com"
 },
 {
 "Action": "ScramblePassword",
 "Attribute": "password",
 "Value": null
 }, {
 "Action": "RemoveADEntitlements",
 "Attribute": "memberOf",
 "Value": "CN=Domain Users,CN=Users,DC=testing,DC=com"
 }
 ],
 "Identity Attribute Triggers": [
 {
 "Attribute": "cloudLifecycleState",
 "Value": "inactive",
 "Operation": "eq"
 }
 ],
 "Operation": "Disable"
 }
 ]
 }
 }
 ]