Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD Account re-use while disabling and re-enabling

haardik_verma
Regular Contributor
Regular Contributor

‎06/06/2023 02:35 AM

We have a query regarding the Active Directory account lifecycle for cases where accounts are moved to a different OU and then re-enabled.

Suppose the below example [Firstname Lastname (Saviynt Username)]

IF user Vikram Rathod(123) has existing AD account, his DN based on ACCOUNTNAMERULE will be 

CN=Vikram Rathod,OU=CountryName,OU=AD Dept,OU=Saviynt,DC=AD,DC=CompanyName

Now this user resigned and his account got inactive, and due to logic set in our REMOVEACCOUNTJSON, he will be moved to disabled OU, so his new DN will be

CN=Vikram Rathod,OU=Disabled,OU=AD Dept,OU=Saviynt,DC=AD,DC=CompanyName

Now a new user with same name and same country location has joined company, Vikram Rathod (456), his new AD account will not use the inactive account (because of REUSEINACTIVEACCOUNT set to FALSE), and will try to create a new DN based on next naming rules, but since the existing Vikram(123)'s account is moved to different OU, his DN (based on the 1st rule of accountnamerule) can be used now..

So the new user Vikram Rathod (456) will get AD account with DN as

CN=Vikram Rathod,OU=CountryName,OU=AD Dept,OU=Saviynt,DC=AD,DC=CompanyName

Now the issue is when the old Vikram joins the company back, his enable account task is created, but the DN that he originally had, is already assigned to a new user.

When I tried enabling the account, got this error

SAV-Error while enabling account,[LDAP: error code 68 - 00002071: UpdErr: DSID-031B0BE2, problem 6005 (ENTRY_EXISTS), data 0 ]

We want suggestions to avoid this case.

P.S: I understand that having a unique identifier in the DN accountNameRule like username will solve this issue, but at the moment we are not at the liberty to modify naming rules to this extent.

We tried using CHECKFORUNIQUE so that the CN part of DN remains unique

{
cn: ${user.firstname} ${user.lastname}###${user.firstname} ${user.lastname.substring(0,1)}###${user.firstname} ${user.lastname.substring(0,2)}
}

But this did not work.

Also in the above example, if the 2nd Vikram also resigned before the 1st Vikram rejoins, then there is no error in disablement. The 2nd Vikram is also assigned this DN

CN=Vikram Rathod,OU=Disabled,OU=AD Dept,OU=Saviynt,DC=AD,DC=CompanyName

But this causes issues in AD. The old Vikram's disabled account's DN is appended with some value and for some odd reason, its status is changed to active

Old Vikram's DN becomes

CN=Vikram Rathod\0ACNF:b72d-39cc56be8,OU=Disabled,OU=AD Dept,OU=Saviynt,DC=AD,DC=CompanyName


Thanks & Regards,
Haardik Verma
Labels:
0 Kudos
2 REPLIES 2

mbinsale
Saviynt Employee
Saviynt Employee

‎06/09/2023 01:01 PM

For reconciliation use the GUID instead of the accountname (CN Name). GUID is always unique irrespective of your CN / DN Name. This way there should not be an overlaps / duplicates etc.

0 Kudos

haardik_verma
Regular Contributor
Regular Contributor
In response to mbinsale

‎06/11/2023 07:10 PM

Hi @mbinsale ,

but the accounts created already have CN based on firstname/lastname, which are not unique. How would reconciliation solve this issue? Can you please elaborate.


Thanks & Regards,
Haardik Verma
0 Kudos
Copyright © 2024 Khoros, LLC