Active Directory system OU calculation on update moves disabled accounts
Twan Duvigneau
The active directory target system has the option to calculate OU paths using PowerShell. This is seperated in Initial, move on enable, move on disable and update.
However when my provisioned active directory users are disabled because they are no longer in condition for an enabled account, the update action still triggers. Which means I just moved them from my enabled OU, to the disabled OU and when HR updates the person it calculates a new OU from the update action and moves it there, back into a production OU.
The update action should only take effect on enabled accounts, not disabled accounts.
Ramon Schouten
Hi Twan Duvigneau,
I think this is easily solved with a small amount of scripting.
If you use a PowerShell script to decide the update OU, you can use a check on whether the user is enabled and decide the OU accordingly.
Twan Duvigneau
Ramon Schouten: True, but that feels more like a workaround (wich we indeed used) than how the feature should actually work. I would not be surprised if many implementations unknowingly have disabled accounts moved to production OU's. It would also result in more AD queries for data HelloID already has knowledge of.
Ramon Schouten
Twan Duvigneau: I agree, it would of course be nice if this were the default. Or preferably, an option like "move disabled accounts on update", as I could think of a few cases where you do still want to move disabled accounts.