Move OU based on the LCS

gayare · April 23, 2025, 10:28pm

We have a requirement when the user is inactive (this LCS is based on cloud LCS transform). Move to disable and when you set legal hold (this LCS is set manually always), move to the legal hold OU.

Is there a way to do it using a transform?

Thanks.

vishal_kejriwal1 · April 24, 2025, 2:32am

Check out standard before provisioning rule . This rule give options to move user based on LCS or identity attribute .

suresh4iam · April 24, 2025, 11:42am

Use any account attribute to update a value during LCS change, for example the description attribute to update the account moved to LegalHold
In AD modify provisioning plan, you can use AC_NewParent to define the LitHold OU based on LCS value by referring the LCS identity attribute. Below is an example of AC_Newparent plan.

{
    "name": "AC_NewParent",
    "transform": {
        "attributes": {
            "input": {
                "attributes": {
                    "name": "cloudLifecycleState"
                },
                "type": "identityAttribute"
            },
            "table": {
                "litHold": "OU=LegalHold,OU=Terminated Users,DC=abc,DC=com",
                "default": "OU=Disabled Users,OU=Terminated Users,DC=abc,DC=com"
            }
        },
        "type": "lookup"
    },
    "attributes": {
        "cloudRequired": "true"
    },
    "isRequired": false,
    "type": "string",
    "isMultiValued": false
}

gayare · April 24, 2025, 7:37pm

I am getting the below error message when I try to move the legal hold OU. But disabling OU, it is working fine.

Failed to update attribute AC_NewParent Error - Failed to connect to the server for OU=xxxxx,OU=XXXUsers,DC=xyz,DC=com:The specified directory service attribute or value does not exist. The specified directory service attribute or value does not exist. . HRESULT:[0x8007200A]

suresh4iam · April 24, 2025, 8:32pm

Check whether the DN is valid (check the existence of each OU and the CN). You can also check other attributes which you are provisioning as part of the plan, it may violating the AD attribute contraints. Also you can check whether the service account have required permissions to perform CRUD operations on the OU.

dgandhi · April 24, 2025, 10:13pm

Can you share sample of this? We have similar kind of requirement.

vishal_kejriwal1 · April 25, 2025, 12:41am

example :

[
 {
 "op": "add",
 "path": "/connectorAttributes/cloudServicesIDNSetup",
 "value": {
 "eventConfigurations": [
 {
 "eventActions": [
 {
 "Action": "ADMoveAccount",
 "Attribute": "AC_NewParent",
 "Value": "OU=Disabled,OU=Users,OU=pa-rshwarts,OU=training,DC=testing,DC=com"
 },
 {
 "Action": "ScramblePassword",
 "Attribute": "password",
 "Value": null
 }, {
 "Action": "RemoveADEntitlements",
 "Attribute": "memberOf",
 "Value": "CN=Domain Users,CN=Users,DC=testing,DC=com"
 }
 ],
 "Identity Attribute Triggers": [
 {
 "Attribute": "cloudLifecycleState",
 "Value": "inactive",
 "Operation": "eq"
 }
 ],
 "Operation": "Disable"
 }
 ]
 }
 }
 ]

system · June 24, 2025, 12:42am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
AD account moves for Disabled Accounts ISC Discussion and Questions	6	4689	July 19, 2023
AD before provisioning rule to move OU on disable ISC Discussion and Questions identity-security-cloud	1	1376	July 19, 2023
Move OU after few days of identity disable IdentityNow ISC Discussion and Questions identity-security-cloud	4	1373	July 19, 2023
Leavers OU movement in lapsed LCS state ISC Discussion and Questions identity-security-cloud , provisioning	2	260	January 1, 2024
AC_New Parent when the LCS moves to EmailHold, LOA or Terminated for regular and admin accounts ISC Discussion and Questions identity-security-cloud	6	95	May 9, 2025

Move OU based on the LCS

Related topics