We have set up several OU’s in our domain. We’ll call them CERT123 and CERTABC. Both of these certifiers have recovery authorites set to different sets of authorities (Admin123a, Admin123b, etc. and AdminABC1, AdminABC2, etc.). Joe User is registered as Joe User/CERT123/OurDomain. His recovery authorities, properly, are set as Admin123a, Admin123b, etc. Joe does well and is moved into the CERTABC organization. He is renamed from Joe User/Cert123/OurDomain to Joe User/CERTABC/OurDomain. His recovery authorities do not change to AdminABC1, AdminABC2, etc. His renamed ID file is sent to the original escrow database with the new certifier but with the old recovery authorities. Once in a while his renamed ID file will be sent to the correct escrow database, but it still retains the OLD recovery authorities.
This is beginning to cause some grief as the 123 admins are not supposed to have access the the ABC id’s and vice versa.
Renames are generally done with the CA process.
Are we doing something wrong or has anyone else seen this?
Thanks for any insight.
Dennis