× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

ZPA: Automatic Username Changes based on AD Username Changes

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 7
Registered: ‎12-09-2014
#1 of 7 357
Accepted Solution

ZPA: Automatic Username Changes based on AD Username Changes

I am currenlty using ZPA to provision accounts using the latest version of Centrify Infrastructure Services. When a username change occurs in AD, the provisioner does not change the username of the provisioned account. I can see in the debug logs that it does know about the new AD username:

 

ZoneWorker.EnumerateUserProfiles: oldusername
ZoneWorker.EnumerateUserProfiles: --> newusername@ouraddomain.edu

 

 

I need the ZPA to automatically change the provisioned user's username based on the AD username change. How can I accomplish this?

Posts: 907
Topics: 3
Kudos: 229
Blog Posts: 4
Ideas: 0
Solutions: 119
Registered: ‎07-06-2010
#2 of 7 355

Re: ZPA: Automatic Username Changes based on AD Username Changes

ZPA can only provision and de-provision UNIX profiles, it does not overwrite existing profiles.

 

To see the name change reflected in your case, remove the user from the provisioning group, restart ZPA and add the user back to the group and restart ZPA.

 

Regards,

Felderi Santiago
Technical Director - NA East, LATAM
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 7
Registered: ‎12-09-2014
#3 of 7 354

Re: ZPA: Automatic Username Changes based on AD Username Changes

It makes sense that this will work, but it doesn't scale very well. I have
~20,000 users provisioned in our global zone. In this case would I be
expected to automate this myself? I can do this, but I would have expected
a built-in mechanism for it. If so, how can I most efficiently detect these
username changes?
Posts: 907
Topics: 3
Kudos: 229
Blog Posts: 4
Ideas: 0
Solutions: 119
Registered: ‎07-06-2010
#4 of 7 351

Re: ZPA: Automatic Username Changes based on AD Username Changes

ZPA cannot detect name changes.  It works off SIDs in provisioning groups, not user names.

 

Name changes would have to be detected via a different mechanism.

 

Your other options for automation, if you can detect the name change, are to use the Powershell CMDlets or UNIX adedit options to make Zone changes.  

 

Felderi Santiago
Technical Director - NA East, LATAM
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Centrify Guru I
Posts: 1,949
Registered: ‎07-26-2012
#5 of 7 348

Re: ZPA: Automatic Username Changes based on AD Username Changes

@blaked,

Keep in mind that you're not provisioning/deprovisioning 20K users. You have an initial load of 20K, from that point on is add/moves/changes.

R.P
Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 7
Registered: ‎12-09-2014
#6 of 7 347

Re: ZPA: Automatic Username Changes based on AD Username Changes

True, but what I mean is that I have to consider usernames changes on the
scale of 20,000. At this scale the solution must be automatic; it's not
practical to do things by hand. Also, at that scale even the relatively
small percentage of users that change their usernames will produce a
non-trivial number of changes.
Participant II
Posts: 7
Registered: ‎12-09-2014
#7 of 7 342

Re: ZPA: Automatic Username Changes based on AD Username Changes

Thank you for the information. I will write something to handle this case using adedit (which I already heavily leverage).