Track Account Movement Across Active Directory OUs

Credential Manager can track user accounts that move between different organizational units (OUs) in Active Directory.  When an account changes OUs, the account DN changes. Credential Manager account tracking  can find the user account in Active Directory and successfully change the password. Password view policies and password rollover are not impacted by the change to an OU.
capamnew
Credential Manager can track user accounts that move between different organizational units (OUs) in Active Directory.  When an account changes OUs, the account DN changes. Credential Manager account tracking  can find the user account in Active Directory and successfully change the password. Password view policies and password rollover are not impacted by the change to an OU.
Credential Manager first tries to bind to Active Directory using the Distinguished Name (DN). If that binding fails, it tries to bind using the User Principal Name (UPN). If the UPN binding works, the DN is updated in the 
PAM
 database to match the DN in Active Directory.
Accounts that Do Not Use the UPN
Credential Manager might not be able to track the account change automatically under the following circumstances. Manual updates are required.
  • If the Active Directory account does not include a UPN, manually update the DN in the target account. Without a UPN, there is no alternative to the DN.
  • If the UPN changes in the Active Directory account, manually update the UPN in the
    PAM
     target account. The UPN between Active Directory and Credential Manager must by in sync. Credential Manager can still track an account using the DN. However, any subsequent OU change can alter the DN and the UPN is needed as an alternative.
    Changes only to the UPN do not change the DN.