So I need to fix up UPNnames and SamAccountNames in AD. Seems like we
had a typo for months, and now it matters.

Wrote a rule, queries the vault for the current values we want to use so
I get them into cache.

Now object by object I resolve the DN in the vault to an association
value, then I try to query the current SAM and UPN from the AD tree.

Using Dest-attr or Query against userPrincipalName works fine, as it is
not in the schema map.

Using Query against DirXML-ADAliasName fails, no such attribute. Using
it against sAMAccountname it returns the Sam name, gets converted to
DirXML-ADAliasName by the schema map rule, and the token returns an
empty string, since there is no sAMAccountName in the resulting
document. Same issue with Query. (I have to Query to a nodeset and
XPATH it out, so I can work around it).

Is this working as designed?