Several resolvers (1 and 2) with different policies were created and used for different Active Directory (AD) groups. Logic based on resolver priorities was used. If a user is moved to a different resolver, they are left without a token. How can this issue be resolved? (There are many users).
A user in privacyIDEA is identified via the triplet (realm, resolver, userid).
So if “a user is moved” to a different resolver… Wait - you can not move a user to a different resolver. You are creating a new resolver, that finds an object in AD in a different way.
Or you move the user object in AD or change the obejct in AD, so that a diffferent resolver finds this user object.
For privacyIDEA this is still a different user. You might find this counter intuitive. But hey, that is the way privacyIDEA works. And it makes sense in a lot of cases. Thus one object in AD can take different roles in privacyIDEA.