Lets say you have two OUs named 'PreSalesTeam' and 'PostSalesTeam'
The PreSales Team recruits a sales person called 'John Smith', his account is created in the PreSalesTeam OU so his distinguished name is:
CN=John Smith,OU=PreSalesTeam,DC=OurDomain,DC=ORG
Then, the PostSales Team recruits a different person called 'John Smith', his account is created in the PostSalesTeam OU so his distinguished name is:
CN=John Smith,OU=PostSalesTeam,DC=OurDomain,DC=ORG
There is nothing wrong with this, and Active Directory is perfectly happy. However, six months later John Smith in the PreSales Team transfers to the PostSales Team and we try to move the user from one OU to another. Well it sounds obvious, but by moving the object we are changing their distinguished name and when it arrives it will no longer be unique, so actually Active Directory will prevent you doing that.
This is a slightly philosophical discussion, but means that your user provisioning team might need to think about first and last names combos being unique in the domain even though Active Directory doesn't make you do that.
Cheers!
No comments:
Post a Comment