About IdentityMinder ...¿How to handle the cases of provisioning role for "Active Directory" endpoint ?
The create and delete user are simple cases, but the change that involves moving accounts between "OU" does not work automatically, after remove a provisioning role means that the account will be deleted in the "Active Directory" endpoint and after assign the new provisioning role the account is created. This usually affects the Exchange account and affects the user emails in Exchange Server creating an additional problem. Strong or Weak sincronization doesn't fit the ideal situation of move account and avoid recreate it.
An identity policy do the right automatic assign / unassign but on the endpoint not necessarily occur in the most convenient way.
¿ How avoid that the account is deleted on modify user operation (for remove ProvisioningRole member) and instead, ensure that privileges are assigned and automatically moved the account to a different OU if applicable? ¿What has been your experience dealing with this situation?