Even within the documents of RSA you will find the best practice to store the distinguishedName (DN) of an Active Directory Account as an Attribute on the Account within RSA IG&L.
During the Account creation process there is the option to use the Command Output Parameters to store this value on the Account in RSA IG&L (T_AV_ACCOUNTS). Any action which is undertaken in the same workflow, or before the next collection, can use this DN to perform its activities.
We still have a lot of clients who move Accounts around within Active Directory based on Location or Department, but we do wish to stay as much as possible to the supported methods of the RSA solution, and unfortunately the Move an Account capability does not have such an option, resulting in implementations where a manual update for T_AV_ACCOUNTS is needed (which is not supported by RSA).
If activities are performed within the same 'move' workflow you have the option to store the DN in a variable, but sometimes there are separate requests.