ADS Account Fields Not Propagating (eTADSsAMAccountName and eTADSuserPrincipalName)
search cancel

ADS Account Fields Not Propagating (eTADSsAMAccountName and eTADSuserPrincipalName)


Article ID: 36078


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite



Making changes to Provisioning global user attributes do not propagate to the associated ADS Account’s samAccountName and/or userPrincipalName even though the account had an account template with correct rulestrings set in the eTADSuserPrincipalName (i..e User logon name) field and the eTADSsAMAccountName (i.e. User logon name pre-Windows 2000) field. Is that expected?


All versions of Identity Suite (Identity Manager)


We made a design decision to not allow modification of the User Principle Name and SamAccountName.


The product is currently working as designed. The product is not coded to propagate changes to those fields (eTADSuserPrincipalName and/or eTADSsAMAccountName).

Older C++ based connectors that run within the C++ Connector Server (i.e. im_ccs) rely on Parser Table definition files (i.e. PTT files) which are compiled with the product and cannot be modified by users which dictate attribute behaviors.

If you run the following command you can see how attributes are coded to be handled:

Open a cmd.exe prompt and cd to the Provisioning Server’s Data folder

Run ..\bin\dumpptt –f –t adsparse –of adsparse-full.txt

Run notepad.exe adsparse-full.txt

Search for both of the following entries in adsparse-full.txt and note that isPropagationAllowed is set to no for both of the fields:

ATTRIBUTE (LDAP Name) eTADSAccount::eTADSuserPrincipalName

ATTRIBUTE (LDAP Name) eTADSAccount::eTADSsAMAccountName

So this design decision is why the Provisioning global user value is not propagated to the AD account when it is modified.

Additional Information


While the user modify propagation to account cannot be relied upon, the AD account itself can have the eTADSsAMAccountName and/or the eTADSuserPrincipalName fields updated if modified directly on the ADS Account object instead. This could be done via the Provisioning Manager, an etautil command, an ldap command, or from the IM layer via an account level modify or via a PX Policy that is doing an account level modify.