Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

AD Account re-use while disabling and re-enabling

Regular Contributor
Regular Contributor

We have a query regarding the Active Directory account lifecycle for cases where accounts are moved to a different OU and then re-enabled.

Suppose the below example [Firstname Lastname (Saviynt Username)]

IF user Vikram Rathod(123) has existing AD account, his DN based on ACCOUNTNAMERULE will be 

CN=Vikram Rathod,OU=CountryName,OU=AD Dept,OU=Saviynt,DC=AD,DC=CompanyName

Now this user resigned and his account got inactive, and due to logic set in our REMOVEACCOUNTJSON, he will be moved to disabled OU, so his new DN will be

CN=Vikram Rathod,OU=Disabled,OU=AD Dept,OU=Saviynt,DC=AD,DC=CompanyName

Now a new user with same name and same country location has joined company, Vikram Rathod (456), his new AD account will not use the inactive account (because of REUSEINACTIVEACCOUNT set to FALSE), and will try to create a new DN based on next naming rules, but since the existing Vikram(123)'s account is moved to different OU, his DN (based on the 1st rule of accountnamerule) can be used now..

So the new user Vikram Rathod (456) will get AD account with DN as

CN=Vikram Rathod,OU=CountryName,OU=AD Dept,OU=Saviynt,DC=AD,DC=CompanyName

Now the issue is when the old Vikram joins the company back, his enable account task is created, but the DN that he originally had, is already assigned to a new user.

When I tried enabling the account, got this error

SAV-Error while enabling account,[LDAP: error code 68 - 00002071: UpdErr: DSID-031B0BE2, problem 6005 (ENTRY_EXISTS), data 0 ]

We want suggestions to avoid this case.

P.S: I understand that having a unique identifier in the DN accountNameRule like username will solve this issue, but at the moment we are not at the liberty to modify naming rules to this extent.

We tried using CHECKFORUNIQUE so that the CN part of DN remains unique

cn: ${user.firstname} ${user.lastname}###${user.firstname} ${user.lastname.substring(0,1)}###${user.firstname} ${user.lastname.substring(0,2)}

But this did not work.

Also in the above example, if the 2nd Vikram also resigned before the 1st Vikram rejoins, then there is no error in disablement. The 2nd Vikram is also assigned this DN

CN=Vikram Rathod,OU=Disabled,OU=AD Dept,OU=Saviynt,DC=AD,DC=CompanyName

But this causes issues in AD. The old Vikram's disabled account's DN is appended with some value and for some odd reason, its status is changed to active

Old Vikram's DN becomes

CN=Vikram Rathod\0ACNF:b72d-39cc56be8,OU=Disabled,OU=AD Dept,OU=Saviynt,DC=AD,DC=CompanyName

Thanks & Regards,
Haardik Verma

Saviynt Employee
Saviynt Employee

For reconciliation use the GUID instead of the accountname (CN Name). GUID is always unique irrespective of your CN / DN Name. This way there should not be an overlaps / duplicates etc.

Hi @mbinsale ,

but the accounts created already have CN based on firstname/lastname, which are not unique. How would reconciliation solve this issue? Can you please elaborate.

Thanks & Regards,
Haardik Verma