Re-registering a device in domains with a different customer ID

 

If your organization has multiple customer IDs in the same forest, you might encounter a situation in which users cannot unregister a device from one domain and then register it in another. When they try to register it in the new domain, they get the message, ‘A transaction with the server at <server name> has failed with the status “403”.’

This situation can occur when you have multiple connectors, each with a different customer ID, and each connector uses a different Active Directory container to store the device object. There are a couple of common situations in which this can occur:

  • When you have a test and production deployments each in a separate domain and each domain has a separate Privileged Access Service customer ID.
  • When your organization has different divisions—for example, a North America and APAC division—with separate domains and Privileged Access Service customer IDs.

The administrative problem is this: the same device cannot have separate objects in two different organizational units within the same forest. This is a problem because unregistering a device does not delete it from the organizational unit. When the user unregisters a device, the Privileged Access Service just changes the state from registered to unregistered.

To allow the user to register the same device in another domain with a separate customer ID an administrator needs to do one of the following:

  • Grant the destination connector permission to move or remove objects (in this case, the device object) in the original connector’s organizational unit.
  • Manually delete the device object from the original connector organizational unit when the user unregisters the device. You can do this in Active Directory or using Admin Portal. When the user registers the device the next time, the Privileged Access Service creates a new object in the destination organizational unit when the user registers the device.
  • Manually move the device object from the original connector organizational unit to the destination after the user unregisters it. When the user registers the device the next time, the Privileged Access Service updates the state to registered device in the destination organizational unit.