Hello,
We would like to consult on an issue we're experiencing with Active Directory group references in Account Templates.
Scenario: As part of regular operations, our security team moves Active Directory groups from one Organizational Unit (OU) to another. When this happens, the Account Templates that reference those groups are not updated to reflect the new OU path.
Observed Behavior:
- After a group is moved to a new OU in AD, running an Explore & Correlate successfully detects the group's new location.
- However, the Account Template continues to reference the group's previous OU path (the old Distinguished Name).
- As a result, any provisioning operation that relies on that Account Template fails with an error indicating the group does not exist.
Questions:
- Is there a built-in process or mechanism in Identity Manager that can automatically update group references in Account Templates when a group is moved to a different OU in Active Directory?
- Can the Active Directory group move operation be performed directly from within Identity Manager? If so, what is the recommended approach?
We appreciate any guidance on how to handle this scenario.