none
Changing distinguished name in AD RRS feed

  • Question

  • Currently we're using the FIM Portal's Synchronization Rules to provision users in AD and we're facing a problem with the DN because the attribute contains "DisplayName" instead of a unique value. We have flows for the initial flow and not initial (to handle if user's surname changes). Is there a way to add something more to the current DN without breaking anything? The issue now is that since there are couple of users with same names, the synchronization fails because of the duplicate DN already existing in AD...

    Thursday, January 21, 2016 4:05 AM

All replies

  • Maybe just add something more than just DisplayName to DN? Display Name would remain as it is but CN (and DN) can have something like:

    CN=John Smith (007),OU=...

    instead of

    CN=John Smith,OU=...

    So maybe just add account name or employee ID?


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, January 21, 2016 9:30 AM
  • Currently we're using the FIM Portal's Synchronization Rules to provision users in AD and we're facing a problem with the DN because the attribute contains "DisplayName" instead of a unique value. We have flows for the initial flow and not initial (to handle if user's surname changes). Is there a way to add something more to the current DN without breaking anything? The issue now is that since there are couple of users with same names, the synchronization fails because of the duplicate DN already existing in AD...

    I would suggest to have the displayname and then the userid.

    Like : "Firstname Lastname (AABBCC00)"

    Thursday, January 21, 2016 10:06 AM
  • +1 for using a uniqueness attribute into your DN.  In some organizations sAMAccountName and email address can change over time.

    Best,

    Jeff Ingalls

    Thursday, January 21, 2016 1:23 PM
  • So basically it's safe to just add additional attribute to the sync rule and FIM will take care of the rest?
    Thursday, January 21, 2016 2:57 PM
  • Yes, it's safe to add additional attribute to sync rule that generates DisplayName and DN.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Saturday, January 23, 2016 12:47 PM