You can specify the manage level for a user account resource for handling Active Directory user accounts. The user account’s manage level determines the scope of the properties that a user account inherits from an employee. This means that an employee can have several user accounts in an Active Directory domain:
• Default user account that inherits all properties from the employee
• Administrative user account that is associated to an employee but should not inherit the properties from the employee.
• Service account that contains the home directory and the profile directory of the employee but cannot inherit further properties.
Identity Manager supplies a configuration for manage levels:
• Unmanaged: User accounts with a manage level of “Unmanaged” are connected to an employee but do not inherit properties further properties. When a new user account is created and assigned to an employee, the employee’s properties are initially transferred. If the employee’s properties are changed at a later date, the changes are not passed on to the user account.
• Full managed: User accounts with a manage level of “Full managed” inherit specific properties from the assigned employee.
Note: The manage levels, “Unmanaged” and “Full managed”, are taken into account in templates. You can define manage levels depending on your requirements. Then you need to extend your templates to include the methods for the additional manage levels.
Fore more information, please refer to the Identity Management guide: Manage Levels for Handling Active Directory User Accounts