Track Account Movement Across Active Directory OUs
Credential Manager can track user accounts that move between different organizational units (OUs) in Active Directory. When an account changes OUs, the account DN changes. Credential Manager account tracking can find the user account in Active Directory and successfully change the password. Password view policies and password rollover are not impacted by the change to an OU.
capamnew
Credential Manager can track user accounts that move between different organizational units (OUs) in Active Directory. When an account changes OUs, the account DN changes. Credential Manager account tracking can find the user account in Active Directory and successfully change the password. Password view policies and password rollover are not impacted by the change to an OU.
Credential Manager first tries to bind to Active Directory using the Distinguished Name (DN). If that binding fails, it tries to bind using the User Principal Name (UPN). If the UPN binding works, the DN is updated in the
PAM
database to match the DN in Active Directory.Accounts that Do Not Use the UPN
Credential Manager might not be able to track the account change automatically under the following circumstances. Manual updates are required.
- If the Active Directory account does not include a UPN, manually update the DN in the target account. Without a UPN, there is no alternative to the DN.
- If the UPN changes in the Active Directory account, manually update the UPN in thePAMtarget account. The UPN between Active Directory and Credential Manager must by in sync. Credential Manager can still track an account using the DN. However, any subsequent OU change can alter the DN and the UPN is needed as an alternative.Changes only to the UPN do not change the DN.