CA Identity Manager: Rename the CN of an Active Directory account through Identity Manager

Document ID : KB000097181
Last Modified Date : 22/05/2018
Show Technical Document Details
Introduction:
The CN value of an AD account is the name of the object in Identity Manager, therefore it cannot be changed like a typical attribute.
Question:
What are the options for changing the CN value for Active Directory endpoint accounts through Identity Manager? 
Answer:
It is possible to change the CN directly through Provisioning Manager, by looking up the account and changing the value. The downside to this is that it must be done one account at a time. 

It is also possible to change the CN through the command line, but doing so requires the user to be synced with their account templates after the change occurs or risk losing track of the account. 

Please keep in mind that once an account is moved or renamed it no longer matches the Account Template and therefore the system will think there is an extra account and a missing account and likely will at some point try to add any missing accounts and delete any extra accounts so it is important that this be handled by proper Templates. 

This is what the ldapmodrdn.exe against the Provisioning Server would look like for a rename. You would need to replace PROV_SERVER_HOST, BIND_USER, BIND_PWD, ORIGINAL_ACCOUNT_NAME, NEW_ACCOUNT_NAME, and MY_AD_ENDPOINT to be values proper for your systems. 

ldapmodrdn.exe -h PROV_SERVER_HOST -p 20389 -D "eTGlobalUserName=BIND_USER,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w BIND_PWD -r "eTADSAccountName=ORIGINAL_ACCOUNT_NAME,eTADSContainerName=Users,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" "eTADSAccountName=NEW_ACCOUNT_NAME" 

This results in: 

Rename Result: Success (0) 
Additional info: :ETA_S_00283<MAC>, Active Dir. Account 'ORIGINAL_ACCOUNT_NAME' on 'MY_AD_ENDPOINT' renamed successfully 

And the Provisioning Server etatrans log (level=7) would show: 

20171005:113339:TID=002604:Rename :E124:----:S: External Rename (eTADSAccountName=ORIGINAL_ACCOUNT_NAME) Requested by User BIND_USER - TenantNotSet 
20171005:113339:TID=002604:Rename :E124:----:P: dn: eTADSAccountName=ORIGINAL_ACCOUNT_NAME,eTADSContainerName=Users,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory,dc=im 
20171005:113339:TID=002604:Rename :E124:----:P: new-rdn: eTADSAccountName=NEW_ACCOUNT_NAME 

20171005:113340:TID=002604:Rename :E124:----:F: SUCCESS: External Rename (eTADSAccountName=ORIGINAL_ACCOUNT_NAME) 
20171005:113340:TID=002604:Rename :E124:----:F: msg: :ETA_S_00283<MAC>, Active Dir. Account 'ORIGINAL_ACCOUNT_NAME' on 'MY_AD_ENDPOINT' renamed successfully 

You can also invoke this code through a PX Policy to automate the process. Please review the below Tech Doc further to see an example of a PX Policy calling java code which could invoke an ldapmodrdn command such as: 

ldapmodrdn.exe -h PROV_SERVER_HOST -p 20389 -D "eTGlobalUserName=BIND_USER,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w BIND_PWD -r "eTADSAccountName=ORIGINAL_ACCOUNT_NAME,eTADSContainerName=Users,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" "eTADSAccountName=NEW_ACCOUNT_NAME" 

https://support.ca.com/us/knowledge-base-articles.TEC1112454.html