-
Title
Change authoritative Active Directory domain for an Employee object -
Description
In an environment with several Active Directory (AD) domains, an Employee object can only be updated from the same AD domain it was initially synchronised or created from. AD user data from other AD domains is ignored even when other AD domains are linked to the Employee object. This makes it effectively impossible to migrate an AD user object from one AD domain to another.
-
Cause
The script VI_PersonUpdate_ADS stores the Distinguished Name (DN) of the AD user with the Employee object. When a synchronisation is attempted from a different AD domain, the stored DN is checked against the AD user's DN of this AD Domain and the script aborts because the DNs do not match.
-
Resolution
The stored DN can be updated manually to reflect a different authroritative AD domain using an SQL query.
- With an SQL management tool of your choice, connect to the Identity Manager database and locate the row containing the Employee object you want to change in the table "Person".
- Extract the value of the column "UID_Person" in the given row.
- Run the following SQL query:
"UPDATE dbo.Person SET DistinguishedName='CN=User,CN=OU,DC=Newdomain,DC=loc' WHERE UID_Person='UID' "
(Replace "CN=User,CN=OU,DC=Newdomain,DC=loc" with the DN of the AD user in the new authoritative AD domain and "UID" with the value you just extracted.)
The next synchronisation task from the new authoritative AD domain should now update the Employee object.
The information in the script(s) provided is known to work successfully, however, they have not been officially tested by One Identity Software Quality Control. If any of these instructions are changed and/or incorrectly used, intentionally or unintentionally, this solution becomes unsupported by One Identity Software Support and Development.
One Identity Support and Development recommend always making a backup of the current database prior to execution of any script(s) that may modify it.
For customization of Identity Manager, please contact Professional Services Organization.