Solved

Active Directory OU Move through ADSI

Posted on 2011-02-28
9
1,368 Views
Last Modified: 2012-05-11
Hi Everyone,

I'm attempting to perform a rename of user's distinguishedName that results in the user being moved from one OU to another.  I'm using an IDM tool called Oracel Waveset (formerly Sun IDM) and when I pass in the new OU to be moved the gateway uses an ADSI call to actually move the user, however when I perform this command I recieve the following:

Unable to set user info: 'The name provided is not a properly formed account name'

I know that isn't a lot to go on, but can any of the AD experts out there tell me what would be expected to perform a move? ie. what attributes need to be passed in? should only the new DN be sufficient.  What about case sensitivity, is the DN case sensitive? If so, what is the format of that case sensitivity?  Any help would be greatly appreciated.
0
Comment
Question by:zozig
  • 6
  • 2
9 Comments
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35003526
Take a look at this document:

Moving and Renaming User Accounts
http://technet.microsoft.com/en-us/library/ee198798.aspx

Try passing the parameters as the examples.

If it does not work, provide us with more information about the code used to move the users.
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35003551
I found a topic in this forum:

Thread: Cannot Provision Users from IDM to AD
http://forums.oracle.com/forums/thread.jspa?threadID=1966907&tstart=-2

It seems like your issue. Try following the same steps to see if you can solve it.
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35003566
At least you can check out three things:

1) See if your version of IDM is compatible with the version of Windows you are using.

2) It seems like case sensitivity may be an issue in IDM.

3) Check out the permissions for the AD adapter proxy account.
0
 
LVL 1

Author Comment

by:zozig
ID: 35003661
Hi rmrustice,

Thanks for all the input, I have looked at the IDM thread you pointed out and it does make me think the DN is case sensitive but I just can't seem to find what is the right combination for example I've tried the follwoing:
CN=rnTest,OU=TestOU,DC=AD-DEV,DC=COM
cn=rnTest,ou=TestOU,dc=AD-DEV,dc=COM
cn=rntest,ou=testou,dc=ad-dev,dc=com
CN=RNTEST,OU=TESTOUT,DC=AD-DEV,DC=COM

not sure how many iterations I can go for DN but they have all given me the same error, the IDM version I'm using is compatible with the version of AD and the user does have permsions, I can move the user in the native tools with the account as well as move it with powershell scripts.  In any case, thanks for the feedback, I guess I'll keep trying different iterations of case sensitivity.

0
 
LVL 11

Accepted Solution

by:
Renato Montenegro Rustice earned 500 total points
ID: 35003686
As far as I know, the DN case sensitivity is not important to ADSI. It may be important to the IDM.

To know exactly how it's registered in Active Directory, open ADSIEDIT.MSC, then navigate to the user. The interface will be very similar to the Active Directory Users and Computers. Then, open the user account, navigate thru the attributes until you find the distinguishedName. Double click it and copy it's contents.
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35003708
Another way to get to the users distinguished name would be like this command:

dsquery user "dc=yourdomain,dc=com" -scope subtree -name johndoe

In this case, your domain is named yourdomain.com. Change it to fit your domain name. johndoe is the account name. Change it appropriately.
0
 
LVL 7

Expert Comment

by:FemSteenkamp
ID: 35006320
does it ask for the name and ou separately?
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35224627
Any news on that?
0
 
LVL 1

Author Closing Comment

by:zozig
ID: 36289044
Sorry for the very late response on this, thanks for the help, I was able to resolve with a powershell script to move the user
0

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now