• State Not Answered
  • Replies 1 reply
  • Subscribers 62 subscribers
  • Views 563 views
  • Users 0 members are here
Options
Related

Cross domain moves of user accounts. Understanding the gotchas.

Rick Holcomb
over 1 year ago

I want to do some testing for an automation that allows admins to move user accounts from one ARS managed domain to another. I know there are gotchas on this. I have tried to consider as many as I can think of.

  • Group memberships should be removed before the account is moved.
  • Resetting the users password to a default value will be required.
  • Making sure the mS-DS-ConsistencyGuid is maintained so that the account doesn't lose its mailbox.
  • Deleting the accounts SSO profile is required before the move.

Can you think of any other gotchas to this process? Our current process is very cumbersome. I am hoping to make this much simpler.

I have been reviewing this link found in the KB but don't fully understand it as of yet. www.oneidentity.com/.../how-to-enable-cross-domain-moving-of-user-accounts

Thanks,

Rick

Parents
  • 0 over 1 year ago

    I agree with your checklist above.

    I was looking at that article you cited and can't figure out where the actual move takes place though I can see where the target domain is defined.

    In any case, that script is vbscript which is not really supported for scripting in Active Roles anymore.

    Can you share a bit about your environment - i.e. is it a single forest with multiple domains?  That's only use case I am aware of where a "true" move is even possible.  Otherwise, what you are doing is creating a new object in the target, copying to it a collection of properties from the source object and then either disabling or deleting the source object when you are done.

Reply
  • 0 over 1 year ago

    I agree with your checklist above.

    I was looking at that article you cited and can't figure out where the actual move takes place though I can see where the target domain is defined.

    In any case, that script is vbscript which is not really supported for scripting in Active Roles anymore.

    Can you share a bit about your environment - i.e. is it a single forest with multiple domains?  That's only use case I am aware of where a "true" move is even possible.  Otherwise, what you are doing is creating a new object in the target, copying to it a collection of properties from the source object and then either disabling or deleting the source object when you are done.

Children
No Data