Experts Corner Article Wiki Page: Using FIM to enable or disable accounts in Active Directory Go to the Experts Corner Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hello Markus,I am trying to use this article to update the AD synchronization rule I created using the Technet documentation for Publishing users from 2 data sources.The accounts are being created to the FIMObjects OU but are being provisioned disabled.I am unsuccessful at updating the outbound flow definition because the option to select useraccesscontrol under flag:Integer is not available. Am I missing something?Thanks ahead!

You need to select the attribute in the configuration of your ADMA.Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Markus, First off, excellent article! In order for the SR to "read" the existing value, don't you also have to create an Inbound flow for userAccountControl and contribute it to the metaverse? Since this is not there by default, it requires a schema extension for the person object in the MV. I could not see userAccountControl in the "Source" tab of the Outbound SR until I had added it previously through an Inbound SR. Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com

Thanks, Brad.The focus so far was just about how to set the values from a technical perspective - which means, how to set or clear the related bit. However, you are right, I should add a section about the complete lifecycle to the article.Will do this soon. Cheers,MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Markus, just a question about your bit mask value of '9223372036854775805'. I think that since FIM's integers are 64 bit signed integers and that value is positive, it has the first bit set to 0. Shouldn't the signed 64 bit integer with all bits set but the second one be -3? Cheers, PaoloPaolo Tedesco - http://cern.ch/idm

Is there any value in setting the minimum/maximum inclusive values for the new custom integer attribute - userAccountControl? Thanks.Anu

Yep, great article. It's a bit strange that the article doesnt show what I would think that most people could use. Get it? "A bit Strange" :) Anyway, it just my humble opinion that this would more useful if we could just provide the actual steps in the FIM UI to manipulate the userAccountControl on an OSR to AD. I am easily confused and it just seems to me that showing how to flow this attribute into FIM would not be as useful to the general community as much as flowing the attribute in an AD OSR. I think Jorge's http://blogs.dirteam.com/blogs/jorge/archive/2010/07/29/managing-the-useraccountcontrol-attribute-in-ad-by-fim.aspx comes close but if you are a newbie it really is very difficult to actually set the OSR up from that. In the TechNet documentation the examples only really show direct flows such as "userAccountControl => 514". This is fine if we don't care about the other bits. PaulPaul N Smith

Yep, great article. It's a bit strange that the article doesnt show what I would think that most people could use. Get it? "A bit Strange" :) Anyway, it just my humble opinion that this would more useful if we could just provide the actual steps in the FIM UI to manipulate the userAccountControl on an OSR to AD. I am easily confused and it just seems to me that showing how to flow this attribute into FIM would not be as useful to the general community as much as flowing the attribute in an AD OSR. I think Jorge's http://blogs.dirteam.com/blogs/jorge/archive/2010/07/29/managing-the-useraccountcontrol-attribute-in-ad-by-fim.aspx comes close but if you are a newbie it really is very difficult to actually set the OSR up from that. In the TechNet documentation the examples only really show direct flows such as "userAccountControl => 514". This is fine if we don't care about the other bits. PaulPaul N Smith