title: Editing Objects (Write-Back to Active Directory) category: Directory Browser tags: write-back, edit, enable, disable, manager, AD, modify priority: Normal
Editing Objects (Write-Back to Active Directory)
IdentityCenter isn't just read-only — you can make changes to Active Directory objects directly from the web interface. Changes are written back to AD in real time and a full audit trail is maintained.
What Can You Edit?
User Fields
From any user's detail page, you can update:
| Field | Description |
|---|---|
| Display Name | The user's full display name |
| First Name | Given name |
| Last Name | Surname |
| Middle Name | Middle name |
| Primary email address | |
| Title | Job title |
| Department | Department name |
| Company | Company name |
| Office | Physical office location |
| Phone | Office phone number |
| Mobile Phone | Mobile number |
| Home Phone | Home phone number |
| Fax | Fax number |
| Street Address | Street address |
| City | City |
| State | State or province |
| Postal Code | ZIP or postal code |
| Country | Country |
| Division | Business division |
| Employee ID | Employee identifier |
| Employee Type | Employment type (e.g., Full-Time, Contractor) |
| Description | Account description |
| User Principal Name | UPN (login identifier) |
| Username | sAMAccountName |
Account Status
- Enable Account — Re-enable a disabled user account
- Disable Account — Disable a user account (blocks login without deleting)
Manager Assignment
- Set Manager — Assign or change a user's manager in AD
- Clear Manager — Remove the manager assignment
How to Edit an Object
- Navigate to Directory > Objects
- Find and click on the user you want to modify
- On the user detail page, click the Edit button
- Make your changes in the edit form
- Click Save to write the changes back to Active Directory
Changes take effect immediately in AD. The next time the object is synchronized, IdentityCenter will reflect the updated values.
How to Enable or Disable an Account
- Open the user's detail page
- Look for the Account Status section
- Click Disable Account or Enable Account
- Confirm the action
The change is applied immediately to Active Directory. The user will be unable to log in (if disabled) or regain access (if enabled) right away.
Important: Disabling an account does not delete it. The user's data, group memberships, and history are preserved. This is the recommended approach for offboarding.
How to Change a Manager
- Open the user's detail page
- Find the Manager field
- Click Change Manager
- Search for and select the new manager
- Confirm the change
The manager attribute in AD is updated immediately. This affects:
- Organizational chart relationships
- Access review routing (reviews go to the user's manager)
- Reporting hierarchies
Audit Trail
Every write-back action is logged with:
| Field | Description |
|---|---|
| Timestamp | When the change was made |
| Changed By | Who made the change (user or system) |
| Object | Which AD object was modified |
| Field | What attribute was changed |
| Old Value | Previous value |
| New Value | New value |
| Source | Whether it was a manual change or automated action |
View the audit trail in Administration > Audit Logs.
Automated Write-Back
Write-back isn't just for manual edits. IdentityCenter can automatically modify AD objects as part of:
- Policy Remediation — Automatically disable accounts that violate compliance rules
- Lifecycle Actions — Disable or modify accounts based on lifecycle events
- Access Review Decisions — Revoke access by removing group memberships
- Workflow Actions — Automated actions triggered by approval workflows
Permissions Required
For write-back to work, your AD service account needs:
- Read permissions (required for sync — you already have this)
- Write permissions on the attributes you want to modify
- Account Operators or equivalent permissions for enable/disable operations
- Write permission on the
managerattribute for manager changes
Tip: Create a dedicated service account with only the specific write permissions needed, rather than using a Domain Admin account. Follow the principle of least privilege.
Recommended AD Permissions
Grant these permissions on the OUs containing your user objects:
- Write all properties — For editing user fields
- Reset Password — Only if password reset is enabled
- Read/Write Account Restrictions — For enable/disable operations
- Write Manager — For manager assignment changes
Troubleshooting
Changes Don't Appear in AD
- Verify the service account has write permissions on the target OU
- Check the audit log for any error messages
- Ensure the AD connection is using credentials with write access (not a read-only account)
"Access Denied" Error
- The service account doesn't have sufficient permissions
- The object may be in a protected OU (e.g., Domain Controllers OU)
- Check for deny ACEs on the object or OU that might override allow permissions
Manager Change Fails
- Verify the new manager exists in the same AD forest
- Ensure write permission on the
managerattribute is granted - The manager must be a valid user object (not a contact or group)
Next Steps
- Browsing Objects — Navigate your directory data
- Lifecycle Management — Automate account lifecycle actions
- Access Reviews — Review and certify access