I need some best practices how to collect into AD related applications. Currently I have a directory (AD) where I am collecting all business relevant groups, account and group memberships with account collector.
Beyond AD as directory I have created many AD related applications. It helps users to easily find what they want to request and also makes it possible to administer business owners, related workflows etc. From business perspective group memberships are handled as access in the application. Therefore I use account collectors which collects only groups. The applications are related to AD (directory for account is set to AD) so I suppose I don't have to collect accounts in the application collectors, sparing lot of process time.
Unfortunately I have some issues with this. The collector successfully collects groups and group members (even reference resolution is successful) but the accounts are orphan. If I check the same accounts in AD they are not orphan. If I collect also accounts the accounts will be not orphan but then what is the point of "directory for account" option?
Also a problem that if I set AD as directory for accounts all the AD accounts will be listed on "accounts" tab, not only group member accounts, but "who has access" tab will be empty. I have a workaround to have information on "who has access" tab but I wonder if somebody has an elegant solution.