[389-users] AD user moves vs. 389 user moves.
Anne Cross
across at itasoftware.com
Tue Jan 5 20:06:19 UTC 2010
Our AD admins want to move users from our ou=Users tree to a new tree called ou=Departed, after we've locked the accounts, so that we know when a user has left the company and we've completed the cleanup process. We've discovered through trial and error that when they do this on the AD server, it doesn't actually move the user out of the ou=Users tree on the 389 server. The accounts stay synced - passwords transmit and so forth - but the state of affairs is somewhat confusing.
If I delete the user and then recreate them in the correct tree on my side, the AD server blows the user away and we lose all history - old passwords, AD preferences, etc, which is annoying when the person in question is an intern who might come back.
Anyone have any suggestions on a workaround for this state of affairs? It doesn't look like a *bug* to me so much as a complete difference of opinion on how a user "move" should be accomplished between 389 and AD 2008.
-- juniper
More information about the Fedora-directory-users
mailing list