Our AD admins want to move users from our ou=Users tree to a new tree called ou=Departed, after we've locked the accounts, so that we know when a user has left the company and we've completed the cleanup process. We've discovered through trial and error that when they do this on the AD server, it doesn't actually move the user out of the ou=Users tree on the 389 server. The accounts stay synced - passwords transmit and so forth - but the state of affairs is somewhat confusing.
If I delete the user and then recreate them in the correct tree on my side, the AD server blows the user away and we lose all history - old passwords, AD preferences, etc, which is annoying when the person in question is an intern who might come back. Anyone have any suggestions on a workaround for this state of affairs? It doesn't look like a *bug* to me so much as a complete difference of opinion on how a user "move" should be accomplished between 389 and AD 2008. -- juniper -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
