• State Suggested Answer
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 927 views
  • Users 0 members are here
Options
Related

User Provision - Service Account provisioning

craig mcfarlane
over 2 years ago

Hi Team. 

So we have been using user provisioning policy for years just for our standard users \ employees and that has been working fine. Typically we created any service account outside of ARS in native ADUC but now we are starting to tighten up and force everything via ARS. 

Now I have a provisioning policy and the scope of that is set to our User OU. However when i create a user in an OU outside of that i am still seeing the standard user based policy kick in. 

I need to create a separate new user policy if the account is being created in an OU outside of the standard users. I thought i was a simple scope setting but does not seem to be. 

Any ideas? 

  • 0 over 2 years ago

    Also just thinking out loud here. In the WI when we create a new user we have added extra items for our Service Desk to set. Is it even possible to have two new user process in the WI and each with different items to select? 

  • 0 over 2 years ago

    Thoughts...

    Have you checked all the links on your Standard Policy? - i.e. where all is it linked to.

    Is your service accounts OU a child of your user OU? - If yes, then inheritance would apply.

    Also, check that you haven't linked your Standard Policy to a Managed Unit that is somehow scoping in users from more OUs than you might expect.

    As for the WI, you could create a separate "New Service Account" creation command and associated wizard for your Service Accounts and make it visible only in the OU where Service Accounts are allowed.

    On this last point, the way I have done this was I created a stored Boolean Virtual Attribute (VA) for OUs called IsServiceAccountOU and set it to TRUE on the OUs where I want (in your case) the New Service Account command to be visible.  When you create the command in the WI, there's a property you can set it where it looks for the presence of the VA I suggested.