• State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 92 subscribers
  • Views 8112 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding AD admin accounts to Managed for a user profile

jordonez
over 8 years ago

Hello everyone,

I have 2 different domains: one for the USA and one for EUROPE employees. Everyone has a corporate account that is used to login to your workstation depending on location but some users have an additional Admin account assigned to them to login to privileged servers.

So for example a user on the USA domain has their regular account: jdoe and then an admin account: adminjdoe. If their employee profile is already tied to the USA domain how can I tie their admin account also to their profile if its on the same domain? Do I have create another managed domain for the admin accounts even though its on the same UAS domain? ie USAAdminDomain.

Hope this makes sense, please let me know if I need to clarify further or if anyone has any input on this.

Thanks in advance.

  • 0 over 8 years ago

    Mapping multiple accounts to a single person is a normal practice BUT ...

    ...You have to set first "User account resource"  and then edit management levels on this resource.

    Basically You want only one account on the user to have a management level 1 and all the others 0 or else.

    If You neeed You can create additional management levels!

    ...you might to assign this resource to all employees that have existing  accounts in those systems manualy. Also check config parameters for account propagation and set them to "Search and Create"

    ....hope this gives You the hint in the right dirrection but the the documentationcan also help! ;-)

  • 0 over 8 years ago

    Thank you mekindad,

    I do know how to manage accounts but the issue I have is as soon as I attach the admin account to the profile it will update the AD account with that display name. The current admin accounts have a display name of "Admin User Initials".

    Do I have to change some code somewhere so it doesn't update the display name when I attach the account to the profile?

    Thank you.

  • 0 over 8 years ago

    Ok so I did add another resource and configured a manage level of "Admin". When I try to switch that account to that manage level, I get this error.

    Where is this script located? I can't find it.

    Thanks for the feedback.

  • 0 over 8 years ago
    This is being thrown by the template on UID_ProfileServer. You will find this pattern in a lot of the template where it checks for OOTB manage levels, and if it is any other manage level, throw a "Non specified manage level" exception. You will have to modify the templates in question. You can find out which ones by running a SELECT query on DialogColumn where TableName is the table you are interested in and the template is like '%Non specified manage level%'
  • 0 over 8 years ago

    Thank you both for you responses. I had quite a few templates using that ManageLevel. I was able to get my admin accounts attached and working as expected.

  • 0 over 8 years ago

    Sorry all, I jumped the gun a bit. When I attach the admin account to the profile, it starts adding that account to all the AD groups that the person is a part of. How do I stop IDM from adding the admin account to these groups?

  • 0 over 8 years ago

    Check the "IsGroupAccount" parameter on the account.  If this is true, it inherits groups.  If false, it will not.

  • 0 over 8 years ago

    Thanks George,  I had noticed that shortly after I posted...duh!