cancel
Showing results for 
Search instead for 
Did you mean: 

How to pass managerDN from different domain while AD account provisioning

Harish_Yara
New Contributor III
New Contributor III

Hi Team,

Is there any way to pass managerDN of a user from one domain to other domain while provisioning account to Active Directory.

Example

Consider there are two domains Domain1 - > abc.domain.one and Domain2 -> xyz.domain.two

Manager is present in abc.domain.one and his accountID (User DN)is

"Fname, Lname dc=abc, dc=domain, dc=one"

I am provisioning a user into domain2 xyz.domain.two and mapping manager as "Fname, Lname" (Fname, Lname dc=abc, dc=domain, dc=one) from domain 1 abc.domain.one

In CREATEACCOUNTJSON below syntax is used for manager field as

"manager": "${managerAccount==null?'':managerAccount.accountID}"

After provisioning account is getting created in Active Directory but manager field in AD is empty. But manager has to be mapped in Active Directory.

Please share your thoughts to fix this issue. @rushikeshvartak @uthra_rahul @arjungadgul

Thanks,

Harish

6 REPLIES 6

rushikeshvartak
All-Star
All-Star

After provisioning account is getting created in Active Directory but manager field in AD is empty. But manager has to be mapped in Active Directory.

can you elaborate

@rushikeshvartak- I am provisioning a user into domain2 xyz.domain.two and assigned manager who is present in domain one "Fname, Lname" (Fname, Lname dc=abc, dc=domain, dc=one) and i used below syntax to assign manager

"manager": "${managerAccount==null?'':managerAccount.accountID}"

But manager is not getting assigned to the user.

Thanks,

Harish

Does existing users are assigned similar like this situations ?

are you able to add in AD directly?

@rushikeshvartak- This is our new use case where manager from one domain needs to assign to the user who is present in another domain.

This is not feasible per AD Restrictions

The manager attribute is a DN of the user from the same domain. It will not accept a DN from another domain. Can you validate if you can do this natively in AD ?

Regards,
Avinash Chhetri