-
Title
When copying Active Directory accounts (eg, from within Active Directory Users and Computers) should the Defender attributes also be copied? -
Description
When copying an Active Directory User it is noted that Defender attributes also copy; such as:
defender-danDNs defender-dssMembers defender-policyMembers defender-radiusPayloadGroupsDN defender-radiusPayloadMembers defender-tokenUsersDNs
Will this cause a problem?
-
Resolution
When copying a user (for example, to keep group permissions etc), it would not be recommended to keep any of the Defender attributes from an actual user. The Defender attributes are all one side of a pair of linked attributes; one of the attributes may be written by a user action, and the other is updated by the system. The attributes listed are all the “back links” which are the attributes updated by the system.
For example defender-userTokenData and defender-tokenUsersDNs are linked. When a defender-userTokenData attribute is written with a link to another object the defender-tokenUsersDNs attribute is automatically updated on the linked object.
When copying an Active Directory user, do not copy Defender attributes from an active Defender user. For example, possibly the use of an unused template account may provide the required options.