Be aware that currently TEM does not support migrating AD users to a different OU. When an AD user is moved to a different OU it prevents the AD user from logging into the console via LDAP.
This article describes what you would need to do to restore an LDAP account.
How to get Console LDAP operators to be able to login after moving the users to new OUs and groups?
Functionality not yet available.
Here's the workaround:
1. Backup the database.
2. Using SQL Server Management Studio by querying for the current LDAP distinguished name. The following query can obtain this information, replace "USERTOCHANGEDN" with the name of the user in the database table. Copy the data that results from the running of the query by right clicking and copying it to a text file.
select LdapDN from dbo.USERINFO where Username = 'USERTOCHANGEDN'
3. Obtain the new distinguished name using LDAP Explorer or Active Directory.
4. Using SQL Management Studio click the New Query button and use the following query replacing the "NEWLDAPDN" with the new distinguished name obtained in step Replace the "OLDLDAPDN" with the results
update userinfo set LdapDN = 'NEWLDAPDN' where LdapDN =
5. On the TEM Server do the following:
a.Go to a command prompt and navigate to your BES Server directory (C:\Program Files\Bigfix Enterprise\BES Server by default.)
b. Run the following command "besadmin.exe /resignsecuritydata"