GuideZendeskDriftSafe-to-apply

How to Fix the Wrong Default Organization for a Zendesk User

A user is already a member of the right Zendesk organization, but their default org is wrong. Gremlin emits user_default_org_not_expected and auto-prepares move_user_to_org as one of the 4 safe actions. Apply under a matching --confirm-plan-hash. No new memberships, no removals.

Published April 17, 2026 - Part of the Zendesk drift audit guide

Read the pillar integration guideSee the drift playbook

Short answer

Safe-to-apply. Promotes an existing membership to default. No new access.

  • user_default_org_not_expected means the user is already a member of the expected org but their default org is different.
  • Gremlin auto-prepares move_user_to_org. The action calls Zendesk’s organization membership make_default endpoint.
  • No memberships are added or removed. The user gains no new access.
  • Dry-run, then apply with --apply and --confirm-plan-hash matching fix_plan.json.plan_hash.
  • Caps are enforced up front: --max-actions 25 and --max-per-account 3 by default.

When move_user_to_org is safe to apply

Four preconditions. All must hold, or the action is not prepared.

User maps deterministically to one account

Non-personal email domain resolves to exactly one Salesforce account and one expected Zendesk org. Personal email domains are excluded from user drift detection entirely.

Account not blocked upstream

The account is not ambiguous due to duplicate external_ids. If it is, the issue becomes user_resolution_blocked_duplicate_external_id and is review-only.

User is already a member of the target org

This is what makes the action safe. move_user_to_org only promotes an existing membership to default. It never creates or removes memberships.

Current default org differs from expected

If the default already matches the expected org, there is no drift and no action is prepared.

Fix a wrong default organization from the terminal

# 1. Trace one user
g-gremlin zendesk drift trace --zendesk-user-id 48151623

# 2. Dry-run the plan
g-gremlin zendesk drift apply \
  --plan ./artifacts/zendesk_drift/20260417_221530Z_audit/fix_plan.json

# 3. Live apply, restricted to move_user_to_org for a staged rollout
g-gremlin zendesk drift apply \
  --plan ./artifacts/zendesk_drift/20260417_221530Z_audit/fix_plan.json \
  --apply \
  --confirm-plan-hash 8c5d4d4d4b0f1a... \
  --action move_user_to_org \
  --max-actions 25 \
  --max-per-account 3

--action move_user_to_org restricts the live apply to this one action type, useful when ops wants to ship user default fixes separately from org fixes.

Resolution path

1

Run the audit

g-gremlin zendesk drift audit surfaces user_default_org_not_expected in user_issues.csv and auto-prepares move_user_to_org actions in fix_plan.csv when preconditions hold.

2

Trace the user

g-gremlin zendesk drift trace --zendesk-user-id <id> shows current_default_org_id, membership_org_ids, expected_org_id, and the email domain used for resolution.

3

Dry-run the plan

g-gremlin zendesk drift apply --plan <fix_plan.json> revalidates preconditions and writes a simulated apply_receipt.json. No writes.

4

Live apply

g-gremlin zendesk drift apply --plan <fix_plan.json> --apply --confirm-plan-hash <hash>. Make --max-per-account tighter for a staged rollout.

5

Verify the receipt

apply_receipt.json shows applied, skipped, and blocked counts per action. Skipped rows explain why, typically because the preconditions changed between audit and apply.

FAQ

What does user_default_org_not_expected mean?

A Zendesk user already has the expected Salesforce-mapped organization in their memberships, but their default organization (user.organization_id) is different. This is a real routing problem: tickets created by the user default to the wrong org and can land on the wrong account team.

How does move_user_to_org fix it?

move_user_to_org calls the Zendesk organization membership make_default endpoint on the existing target membership. It promotes a membership the user already has. It does not add a new membership and does not remove any existing membership.

Why is move_user_to_org safe to apply?

Because the user is already a member of the target org. Gremlin is not granting new access or revoking existing access. The worst outcome on a concurrent edit is a skipped action recorded explicitly in apply_receipt.json, not a data loss or permission change.

What is the difference between move_user_to_org and assign_user_to_org?

assign_user_to_org adds a missing membership to the target org when the user is not already a member. It fixes user_missing_expected_membership. move_user_to_org promotes an existing membership to default when the user is already a member. It fixes user_default_org_not_expected. They are separate safe actions with separate preconditions.

Does Gremlin change user permissions?

No. Gremlin does not touch user roles, agent status, group membership, or any permission surface. The write scope is limited to organization membership changes described in the 4 safe action taxonomy.

What happens to users on personal email domains?

Personal email domains (gmail.com, outlook.com, yahoo.com, icloud.com, hotmail.com, protonmail.com, and similar) are suppressed from domain-based user drift detection. End-users on those domains are only linked through a deterministic path like an existing membership on a uniquely resolved Zendesk org. Otherwise they remain unmatched by design.

Related Zendesk drift pages

Salesforce and Zendesk integration pillar

The audit-first integration contract: 12 issue codes, 4 safe actions, plan-hash-protected apply.

Open page

Zendesk drift playbook

Operator execution log: Slack message, prompt, audit, review, dry-run, apply.

Open page

Link a Zendesk organization to a Salesforce account

The safe-to-apply path for org_missing_external_id.

Open page

Fix duplicate external_id in Zendesk

The critical blocker: two orgs share the same external_id.

Open page

Zendesk domain collision between organizations

What to do when the expected domain belongs to another Zendesk org.

Open page

Audit Zendesk and Salesforce sync from the CLI

The focused CLI walkthrough for the drift audit workflow.

Open page

Keep the conversation going

These pages are meant to help operators solve real problems. If you want the next guide, grab the low-friction option. If you need the implementation, not just the guide, book time.

Stay in the loop

Get the next guide when it ships

I publish architecture guides grounded in real implementations. No generic AI filler.

Use your work email so I can keep the list useful and relevant.

Book Mike directly

Need the implementation, not just the guide?

Book a 15-minute working session with Mike right on his calendar. Tooling, consulting, or a mix of both is fine.

Open Mike's calendar

If you want me to come in with context, leave your email and a short note before the call.

I'll route new requests into the internal website inquiries inbox so I can follow up fast.