ActiveDirectoryConnector: Rename of naming account attributes (cn, dn, name) for Service Accounts

New Contributor III
New Contributor III

we have investigated the following issue. The account naming attributes (cn, dn, name) for service accounts are not updated on update. 
The assumption was, that this is handled via the ACCOUNTNAMERULE, but seems like it is not the case for service accounts. 
We were able to fix a substring of the dn to be update, which was realized with "moveUsertoOU", but this is not possible for cn, name, and the remaining part of the dn.

How is the rename of AD accounts handled via the AD Connector?


Saviynt Employee
Saviynt Employee

You should be able to use ACCOUNTNAMERULE to modify when OU is moved. The parameter evaluates while creating an account and update of any attribute driving name rule and OU movements for an account.

You can specify the rules to generate the DN for the account for provisioning separated by ###. 

You can refer the below guide for the same (section - Specifying the Account Name Rule)



New Contributor III
New Contributor III

Hi Sahil,
that was also our assumption, but in fact, this is not the case for service accounts. Find below the current account name rule: 
${'CN=FS_'+ locationcode +' '+ givenName +' (' + task.accountName + '),' + accountpath}

To add a little info on that, all the mentioned dynamic attributes in the account name rule can be updated on modify, besides (of course) the accountName.

Nevertheless the outcome in AD looks the following:



Can you please share the updaetaccountJSON?


New Contributor III
New Contributor III

Hi @sk @sahil ,
any additional information since? It looks like we are facing the same for the personal accounts. So currently the rename of the mentioned attributes is not working via the ACCOUNTNAMERULE.

Example use case:
Marriage - If an employee does change his name, the lastname should get updated in all target applications, which is the case in AD for displayname and surname. But additionally the lastname is also visible in the attribute name, dn and cn. Those attributes are not getting updated an reflect the old name.

Is there another way to rename the account besides the ACCOUNTNAMERULE or do we need to raise a bug ticket?

Version: 23.4

New Contributor III
New Contributor III

updateaccountJSON for one of the endpoints. We facing the same issues on others:

"moveUsertoOU": "${accountpath}",
"employeeID": "${task?.accountName}",
"givenName": "${givenName}",
"sn": "${'FS_' + locationcode}",
"displayName": "${'FS_' + locationcode+ ', ' + givenName+ ' (' +task?.accountName+ ')'}",
"company": "Company",
"department": "${department}",
"co": "${country}",
"l": "${city}",
"postalCode": "${postalCode}",
"streetAddress": "${street}",
"description": "Shared Account",
"global-ExtensionAttribute2": "${costCenter}",
"global-ExtensionAttribute12": "${locationnumber.substring(0,4)}",
"accountExpires": "0"

Setting the attributes name, cn is not possible and gives an ldap error. Already tried that out


New Contributor III
New Contributor III

Found a solution after a discussion via freshdesk tickets.

Seems like it is now possible to up the cn directly via the updateaccountjson.
So just include the cn in it and all the naming attribute will be renamed (name, dn, cn).