Renaming AD and ADLDS accounts due to name changes RRS feed

  • Question

  • I have people who like to change their names for various reasons (marriage, divorce, gender reassignment) and therefore need to change their cn, account name, dn, display name etc.  Most of these change just fine but when it comes to changing the account name/cn I get a Modify-naming-attribute error "The attribute cannot be modified because it is owned by the system."

    Currently one of the MA's is a very basic MA just flowing attributes directly the other has some Sync rules.  

    I have been doing some research and it said to have two entries for the dn, one for the initial flow and one for the renames.  I have this already and it's not working.

    Is it possible to do renames without extensible dlls?  how?


    Wednesday, September 7, 2016 3:42 AM

All replies

  • Eka

    You should not be adding attribute flow for CN attribute. CN is a component of the DN, which you would need a persistent flow for. Typically, when starting with provisioing to any LDAP directory, including AD or ADLDS, I usually start with this, which includes example of renaming:

    Wednesday, September 7, 2016 5:52 AM
  • Hi Glenn, 

    Thanks for your reply.  I'm sorry I don't think I explained myself correctly. I'm not adding an attribute flow for the CN, that is just one of the attributes that needs to change.  

    I've got three MAs, one for AD LDS which is a simple set of attribute flows within the MA and two for AD with one that as only sync rules flowing attributes while the other has extensible code.  None of these MAs are currently renaming accounts/usernames when the "source of truth" changes their names.

    eg. a person called Maggie Birch has a username BirchM while the display name is Maggie Birch.  Maggie changes her name to Maggie Hall which should mean her username should change to HallM and the display name is Maggie Hall.  The attribute of display name changes correctly but her username doesn't change.  

    I'm trying to achieve the rename of the username.

    Monday, September 12, 2016 2:23 AM
  • Hi Eka,

    How are you generating the username BirchM in the first place?  I assume it's performing some logic to check for uniqueness rather than just concatenating some values, but you need to ultimately affect the username attribute in the metaverse (assume accountName) inbound when the name changes, and then have some persistent flow of it outbound.

    You might do this via some code, or via a workflow in the FIM/MIM service.  I find the alteration of a username is fairly problematic, though: who tells the user that their name has changed, and when it occurred?

    Hope that helps,


    Monday, September 12, 2016 3:24 PM
  • All renaming logic is done before reaching FIM.  It is a direct attribute flow.
    Monday, September 12, 2016 8:12 PM
  • Hi Eka,

    In that case, assuming you have a flow from the authoritative system of username -> accountname, you want to check that the accountname is changing in the metaverse when it changes in the source system (if it isn't, check things like precedence).

    Then you'll just want to make sure the export flows are persistent:

    "CN=" + accountName + ",OU=therest,OU=ofthe,dc=structure" -> DN

    Shouldn't be more complicated than that.



    Tuesday, September 13, 2016 8:38 AM