Can’t delete outstanding object in ADSAccount

It is not possible to override this, and honestly, it wouldn't help for long assuming that the assigned account definition has been inherited.

You need to check the origin of the account definition assignment first, and then clean this up at the source.

That makes sense. The account definition originates from a dynamic role, and is correct (that is, we want these employees to have this account definition), the problem is that there are two accounts in the ADSAccount table for AD and the account definition is tied to the account that is not in AD. 

I assumed that if I was able to remove the wrong account from the ADSAccount table it would resolve the issue. But maybe there is a better way? Any advice is much appreciated.

That makes sense. The account definition originates from a dynamic role, and is correct (that is, we want these employees to have this account definition), the problem is that there are two accounts in the ADSAccount table for AD and the account definition is tied to the account that is not in AD. 

I assumed that if I was able to remove the wrong account from the ADSAccount table it would resolve the issue. But maybe there is a better way? Any advice is much appreciated.

Is the wrong ADSAccount marked as OutStanding? By the way, which version are you using?

Yes, it is the wrong ADSAccount that is marked outstanding. This is version 8.0.

All of the employees in question predate the implementation of OneIdentity and thus their AD accounts were preexisting. They end up with two entries in the ADSAccount table and the outstanding one is the one with the account definition. Unfortunately that is not the one that corresponds to the actual user account in AD.

Btw, I hope this is the right use of the forums!

Is the second AD user, the actual one, already assigned to the same person, and is it already marked to be managed by the same account definition?

It is assigned, but not marked as managed and not tied to the account definition,

I would then remove the account definition and the manage-level from the outstanding ADSAccount via SQL and set the account definition and the manage-level at the correct ADSAccount.

But you can as well contact support to help you out.

that worked. In case anyone else runs into this I did the following on the account:

set XMarkedForDeletion = 0
set UID_TSBBehavior = NULL
set UID_TSBAccountDef = NULL

I was then able to add the account def to the correct account and delete the incorrect account.