I've got a bit of a problem that I'm trying to come up with a good solution
for... here's the situation.

Our primary tree spans 11 physical sites, with an OU for each site, and a
local admin that manages their own OU. In the past we've allowed for
duplicate login names across separate OUs.

Now this is creating a problem. We're using IDM to sync to a vault, using
our primary tree as the primary directory (e.g. we have a one way sync).
In turn, the vault then syncs with AD. AD does not allow duplicate login names.

Site admins do not have access to our vault nor our AD tree. Ideally, I
don't want to assign them rights to additional trees.

I plan on dealing with existing duplicates manually. What I want to prevent
is our local OU admins from creating logins that conflict with users in
separate OUs in the future.

Has anyone dealt with a situation like this before? Does anyone have an
idea on how I might be able to work around this?