How to rename a user and keep his samAccountName as is

---

Overview

This article describes a solution for the following case:

1. User account samAccountName is generated according to a generation rule that looks like that:

   1. {{GFirst(GExcludeCharacters(GtoLowerCase(GJoinByCharF([GFirst(GExcludeCharacters(Surname, "@\\\"%&*+/=?\'{}|<>();:,[]`- "),5),GFirst(GivenName,1),GFirst(Initials + 'x',1),GGetRandomChars(3)],'')), "@\\\"%&*+/=?\'{}|<>();:,[]` "),20)}}~@~Surname,GivenName,Initials

   2. This rule adds 3 random letters at the end.
   3. One letter of the First Name is used in that generation rule.
2. There is a user account with the first name "Bob", last name "Smith" and samAccountName generated as "bsmithxyz".
3. Delegated administrator uses Rename User web action to change the target account's First Name.
4. First Name changed in the way that the first letter does not change, for example: Bob -> Bobby.
5. As the result of this rename operation, user account samAccountName is changed: bsmithxyz -> bsmithabc.
6. Ideally, the product should not change user samAccountName as the 1st letter of the First Name did not change, besides the fact that the entire First Name is changed. This requirement can be applied to other properties like Last Name or Initials when the property value is changed but the part of that value used in the generation rule is not changed.

The solution below provides step-by-step instructions on how to use Custom Generation Tokens to add additional checks before re-generating samAccountName. 

 

Configuration

1.  In Admin Console navigate to Home > Configuration > Web Portal > Web Actions > Active Directory > Rename User.
2. Open Custom Generation Token section and copy\paste this script:

   {
   $objDN = $CayoSelectedObjectsIds[0].ObjectDN;
   $cp = (PMEXTAD_GetADSettingsByDN -ObjectDN $objDN -DefaultDC $AD_DefaultDC -Credential $AD_Credentials);
   $samAccountName = (Get-ADUser -Identity $objDN @cp).SamAccountName;
   $samAccountNameTail=''
   if($Null -ne $samAccountName){
   $samAccountNameTail = (PSLast $samAccountName 3)
   $samAccountName=$samAccountName.substring(0,$samAccountName.length-3)
   }
   @{'InitialSamTokenValue'=$samAccountName;'InitialSamTokenTail'=$samAccountNameTail; }
   }

3. In SamAccountName generation rule copy\paste this script:
   

   {{GFirst(GExcludeCharacters(GtoLowerCase(GJoinByCharF([GFirst(GExcludeCharacters(Surname, "@\\\"%&*+/=?\'{}|<>();:,[]`- "),5),GFirst(GivenName,1),GFirst(Initials + 'x',1),GReturnByCondition([CustomAttr20],InitialSamTokenTail,3,[InitialSamTokenValue]),GReturnByCondition([CustomAttr20],GGetRandomChars(3),4,[InitialSamTokenValue])],'')), "@\\\"%&*+/=?\'{}|<>();:,[]` "),20)}}~@~Surname,GivenName,Initials,CustomAttr20

4. Save changes.
5. Navigate to Home > Configuration > Web Portal > Attribute Policies.
6. Create a new attribute policy:
   1. Policy Scope: Active Directory > AD Users > Rename User.
   2. Select some victim attribute, for example, Other attributes 20, and open its' policy settings.
   3. Check Generation Value and copy\paste this script: 
      

      {{GFirst(GExcludeCharacters(GtoLowerCase(GJoinByCharF([GFirst(GExcludeCharacters(Surname, "@\\\"%
      &*+/=?\'{}|<>();:,[]`- "),5),GFirst(GivenName,1),GFirst(Initials + 'x',1)],'')), "@\\\"%&*+/=?\'{}|<>();:,[]` "),20)}}~@~Surname,GivenName,Initials

7. Save changes.

After that If you rename a user and the newly generated samAccountName is the same as before rename, it will be kept as is including random symbols.

 

Rename User web action:

 

Attribute Policy: