Move OUs across different domains within a multi-domain forest in Active Directory

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

We have a single forest with 10 domains, and we have configured one source in Identity Security Cloud (ISC) in line with SailPoint’s best practices.

We have a requirement to move objects between OUs — both within the same domain and across different domains. The AC_NewParent operation works correctly for OU movements within the same domain. However, when attempting to move objects to an OU in another domain, the operation fails. It appears that AC_NewParent does not support cross-domain moves.

We are exploring potential approaches to address this requirement, such as:

  1. Disabling the old account and creating a new account in the target domain in BP rule.

  2.  Using rules or scripts (e.g., PowerShell, connector-after rules, or other custom logic) to automate the process.

We are looking for guidance or recommended options to implement this functionality effectively

2

@bharat_g

You can utilise SailPoint ISC Workflows and move the OUs based on your logic.

Thanks

3

Hi @bharat_g ,

To successfully implement cross-domain moves, you must use a Before Provisioning Rule within SailPoint and ensure the connector’s service account has the necessary cross-domain permission.

Refer to attached link FYI - How to move AD Account to cross domain?

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.