Layer7 Identity Management

Expand all | Collapse all

Issue in Moving AD Account to Different OU

Jump to Best Answer
  • 1.  Issue in Moving AD Account to Different OU

    Posted 06-11-2018 09:41 AM

    Hi

     

    We need to move AD account from ou 'Users' to ou 'ToBeDeleted' when their end date is reached.

     

    So create PX on modifyuser , which based on condition(end date) , moves the account.(Rigjt now, not chcking this condition. just triggering this on ModifyUser).

     

    1. I am trying to get ADSAccountContainer using below config (screenshots under Data)

     

    2. The User on which I am testing is has one AD Account. Action is as below:

    (In Action, I am using ADSAccountContainer whose value we got from Data Element)

    3. Issue is , when this policy Triggers, it gives error creating account identifier(The path mentioned in error is correct for AD account, so it found the user but unable to create AccountIdentifier)

     

     

    Data

     

     



  • 2.  Re: Issue in Moving AD Account to Different OU

    Posted 06-11-2018 10:10 AM

    you will ned the complete path to the OU.



  • 3.  Re: Issue in Moving AD Account to Different OU

    Posted 06-11-2018 10:38 AM

    Hi

     

    I tried that too, but then it says unable to find account.

     

    In Account identifier, I put 

    "Internal AD DEV:Users,DEV-InternalAD,IAM-SANDBOX,Users,Specific,REPOSITORY,ethias,adms:P81979d"

     

    I put above value as it is in Accout Identifier field(with inverted commas). Not sure , inverted commas need to be put or not. 

    where 'Internal AD Dev' is endpoint name and 'P81979d' is account name.

     

    Regards

    Jaspreet



  • 4.  Re: Issue in Moving AD Account to Different OU

    Posted 06-15-2018 09:45 AM

    Based on the screenshots, in your Action the Account Identifier would just be {'AccountIterator'}



  • 5.  Re: Issue in Moving AD Account to Different OU
    Best Answer

    Posted 06-15-2018 10:34 AM

    Hi Jaspreet,

    Yes Ken is right.

    I see 2 faults.
    Into the "AccountIterator" iterator data element then code the function as "Next Value" instead of "Next Object".
    Into the action element then the account identifier should be the {'AccountIterator'} instead of {'ADSAccountContainer'}.
    I successfully tested in my lab with a simple OU level but not with a more complex branch and just put my OU name into the new container field.

    Regards,

    Philippe.