Best way to manage multiple admin accounts for a person

Admins in our domain have multiple admin accounts (-w/-s/-ad) along with their primary AD account. These accounts get linked to the user's proper Person (typically), but I'm trying to set it up so that they're seen as separate account definitions. On the ADSAccount template, I notice that SAMAccountName mentions an admin account config variable that looks like it would help so I've set that to "-w" just for testing. I've also created an account definition that's set to managed. When I apply this account def to a user, it seems to want to overwrite their standard ADSAccount instead of creating a new one. What's the best way to handle this? Especially since we'd like to have multiple account definitions that create the proper admin account with flags set (isprivaccount, isgroup).

Top Replies

Parents
  • Hi,

    Just so I understand, the accounts already exist for the Person record, IE the ADSAccounts exist?  But you would like to manage each using a unique account definition?

    Could you provide some more information on what the business reason/usage might be?

    Do you want one ADSAccount managed, while another is not?

    An account definition will not create a new account if there is one already assigned, this is by design.  But you can assign multiple accounts to one Person record.  Also, it's possible to define multiple manage levels, other than the defaults.

    Trevor

  • So many admin accounts were setup prior to us onboarding 1ID. For these users with prior admin level ADSAccounts, we'd like them to link up properly with a unique account def for the account type. 

    However, we'd also like to apply these account defs to new users / Persons so that the associated admin account would get created. 

    I believe we'd want them all to be managed (my understanding is this is what allows 1ID to create the new accounts). 

  • Take a look at the following regarding Manage levels, this might help:

    https://support.oneidentity.com/identity-manager/kb/148806/understanding-manage-levels

    An account definition can be used to create accounts, and you can also use it to define IT properties, such as group membership, etc.

    There is more on this here:

    https://support.oneidentity.com/technical-documents/identity-manager/8.2/administration-guide-for-connecting-to-active-directory/11#TOPIC-1715112

    As it says, "One Identity Manager supplies a default configuration for the Unmanaged and Full managed manage levels. You can define other manage levels depending on your requirements."

    So you could define additional manage levels, depending on the type of account being used and how you'd like things to behave.

    However, if you apply an account def to an Employee it will create only one ADSAccount (if we're only considering ADSAccounts).  Any additional account definitions assigned to the Employee will not create a new ADSAccount, because the logic exists to prevent this.

    You can assign a different ADSAccount to an Employee, assign a specific account def and manage level, and this would work.  However, with regards to automating this, there would be some work required.  The process ADS_PersonHasTSBAccountDef_Autocreate_ADSAccount/Contact will check for an existing account, and not create another.  You could look into changing this.

    Trevor

  • "However, if you apply an account def to an Employee it will create only one ADSAccount (if we're only considering ADSAccounts).  Any additional account definitions assigned to the Employee will not create a new ADSAccount, because the logic exists to prevent this."

    Ahh so maybe this is what I'm running in to. So based on my understanding of what you described, 1ID only expects a single ADSAccount per Person? Which may be why existing persons with multiple admin ADSaccounts link up, but assigning a new account def to a new employee fails to create it as it already sees one? Ill poke around that process to see how it's working. 

  • Yes, exactly.  The logic is such that only one account is assigned, as we wouldn't want the system to create duplicate accounts.

    Trevor

  • So not exactly familiar with how much help you're able to provide, but looking this over can you confirm if these would be the required changes?

    I see the "Check account exists" and "Check for linked account" process steps and think that by modifying those two, I could accomplish what I want. Does that sound right or does it require more modification to that process?

Reply
  • So not exactly familiar with how much help you're able to provide, but looking this over can you confirm if these would be the required changes?

    I see the "Check account exists" and "Check for linked account" process steps and think that by modifying those two, I could accomplish what I want. Does that sound right or does it require more modification to that process?

Children