Identity Management

• Identity Management
• LDAP & AD Attributes

Get Help

Phone

IT Service Desk:
505-277-5757 (hours)

Online

• Fastinfo Knowledgebase
• Submit a Help.UNM Ticket

In Person

See in person support options

Will users be able to change their password using Ctrl+Alt+Delete on a windows desktop attached to the AD Forest?
No. To enable this feature an IDM agent would be installed on every Domain Controller in the forest. To reduce complexity and possible conflicts during the AD Forest Migrations, it was decided not to allow this feature at this time. Password changes will have to be made through the online NetID management web pages.

Will all users password be synchronized on the go live date?
No. On November 22, 2009, a link will be established between an AD account and the LDAP NetID account. After this date — when a user changes their password via the NetID management pages, web page the passwords and expiration times between the two systems will synchronize. Until individual passwords are changed, separate passwords will still exist as well as separate password expiration dates.

Will all LDAP users have AD accounts on the go live date?
No. On go live date, a link between the LDAP NetID account and the AD account will be created only if the AD account already exists. After this date, modifications to the LDAP account such as updates from Banner, password changes, and Self Service modifications will trigger the synchronization in IDM and an AD account will be created.

The new AD forest is based on OU (Organizational Unit). How will I know who will be placed in which OU?
A mapping based on department number has been implemented. A person’s department number is based on which department pays his/her salary. Individual department numbers can be looked up via the online directory. The current departmental mapping can be viewed here.

Can I move a person into a different OU?
If there is a justified business need to move an individual into an OU they normally wouldn’t be in, a mechanism in IDM has been developed to enter an OU override. Right now this request can be done via an e-mail sent to IDM@unm.edu. Plans are underway to move this functionality to the IT Support center.

What will happen when a Department creates a new department number?
If a mapping for the new department number does not exist users with the new department numbers will be moved to the default OU (ou=people, dc=colleges, dc=ad, dc= unm, dc=edu). It is the responsibility of the OU administrators to notify IT of the new department number so that it can be added to the departmental mapping before the change takes place.

Will OU (organization unit) Administrators still be able to manage Accounts in AD?
Yes. OU Administrators will still be able to create Service Accounts, as they deem necessary.  These accounts should be created in the SvcAccounts sub-OU and conform to the standards established by the ADTC. Accounts for people should already exist via the IDM Synchronization. A users corresponding OU Administrator can change passwords for them, however, this will be discouraged. AD password changes will not propagate back through the IDM system and are prone to cause confusion for the users.

What attributes are being mapped from LDAP to AD and what are the implications?
View a list of attributes being mapped. Modifications to mapped attributes in AD will be overwritten by IDM the next time the account is modified in LDAP.