All versions of Identity Suite (Identity Manager)
It is possible to change the CN directly through Provisioning Manager, by looking up the account and changing the value. The downside to this is that it must be done one account at a time.
It is also possible to change the CN through the command line, but doing so requires the user to be synced with their account templates after the change occurs or risk losing track of the account.
Please keep in mind that once an account is moved or renamed it no longer matches the Account Template and therefore the system will think there is an extra account and a missing account and likely will at some point try to add any missing accounts and delete any extra accounts so it is important that this be handled by proper Templates.
This is what the ldapmodrdn.exe against the Provisioning Server would look like for a rename. You would need to replace PROV_SERVER_HOST, BIND_USER, BIND_PWD, ORIGINAL_ACCOUNT_NAME, NEW_ACCOUNT_NAME, and MY_AD_ENDPOINT to be values proper for your systems.
ldapmodrdn.exe -h PROV_SERVER_HOST -p 20389 -D "eTGlobalUserName=BIND_USER,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w BIND_PWD -r "eTADSAccountName=ORIGINAL_ACCOUNT_NAME,eTADSContainerName=Users,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" "eTADSAccountName=NEW_ACCOUNT_NAME"
This results in:
Rename Result: Success (0)
Additional info: :ETA_S_00283<MAC>, Active Dir. Account 'ORIGINAL_ACCOUNT_NAME' on 'MY_AD_ENDPOINT' renamed successfully
And the Provisioning Server etatrans log (level=7) would show:
20171005:113339:TID=002604:Rename :E124:----:S: External Rename (eTADSAccountName=ORIGINAL_ACCOUNT_NAME) Requested by User BIND_USER - TenantNotSet
20171005:113339:TID=002604:Rename :E124:----:P: dn: eTADSAccountName=ORIGINAL_ACCOUNT_NAME,eTADSContainerName=Users,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory,dc=im
20171005:113339:TID=002604:Rename :E124:----:P: new-rdn: eTADSAccountName=NEW_ACCOUNT_NAME
20171005:113340:TID=002604:Rename :E124:----:F: SUCCESS: External Rename (eTADSAccountName=ORIGINAL_ACCOUNT_NAME)
20171005:113340:TID=002604:Rename :E124:----:F: msg: :ETA_S_00283<MAC>, Active Dir. Account 'ORIGINAL_ACCOUNT_NAME' on 'MY_AD_ENDPOINT' renamed successfully
You can also invoke this code through a PX Policy to automate the process. Please review the below Tech Doc further to see an example of a PX Policy calling java code which could invoke an ldapmodrdn command such as:
https://knowledge.broadcom.com/external/article/36219/explaining-px-policies-invoking-of-exter.html
ldapmodrdn.exe -h PROV_SERVER_HOST -p 20389 -D "eTGlobalUserName=BIND_USER,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w BIND_PWD -r "eTADSAccountName=ORIGINAL_ACCOUNT_NAME,eTADSContainerName=Users,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" "eTADSAccountName=NEW_ACCOUNT_NAME"
https://knowledge.broadcom.com/external/article?articleId=36078