Linking "Normal" accounts to "Admin" Accounts


I have created a workflow which links a normal account to an admin account so when I deprovision the user account the admin account is also deprovisioned. But when I link multiple admin accounts to the normal account I receive the following error:

"Illegal data entry. Workflow activity encountered data entry of multiple values in a situation where a single-value data entry is required. Check configuration of the workflow activity"

Any suggestions are welcome.


  • When I've implemented something like this previously for deprovisioning "linked" accounts it has involved a Search workflow step. Say the accounts are linked/mapped via employeeID. The Search step will search the Managed Domains for all users that have the same EmployeeID as the workflow target. Then within the Search step is a Deprovision step that will deprovision the object(s) found by the search activity. The search step then runs like a ForEach loop.

    Is this similar to what you've implemented?

  • We handle this similar to what Richard Lambert indicated.  We put the SamAccountName of the normal account in an attribute on the privileged account.  Our HR system controls the status of the normal account through some automation  and it will set a value in an a second attribute to indicate employment status.  I have a workflow in ARS that looks at the normal account and the employmentstatus (l for leave, t for Term, etc) and based on what the normal account's status is, it looks for the privileged accounts for that person and takes action.

  • We would need to see some more details of your implementation as from your description, the issue seems to be that whatever process you are using to initiate the deprovisioning of the associated admin accounts is not expecting to receive more than one value per deprovision request.