Hi Markus, I'm doing something wrong! I read your article and have tried to implement this in a AD sync rule but have had no success in updating the AD userAccountControl attribute. Hardcoding the attribute to 512 or 514 works but when I try using the BitOr and BitAnd the attribute dies not get updated correctly. I've uploaded my AD sync rule, maybe someone can see what I am doing wrong. Synchronization Rule Configuration Name VCC Employee AD Sync Rule Description Created Time 6/19/2010 Precedence 1 Data Flow Direction Inbound and Outbound Dependency Scope Metaverse Resource Type person External System ADMA External System Resource Type user Relationship Create Resource In FIM True Create Resource In External System True Enable Deprovisioning False Connected Object Scope Source Attribute Operation Value employeeType EQUAL Employee Relationship Criteria ILM Attribute Data Source Attribute accountName sAMAccountName Inbound Attribute Flows Destination Source displayName displayName BannerPersonType employeeType firstName givenName middleName middleName msExchHideFromAddressLists msExchHideFromAddressLists objectSid objectSid officeLocation roomNumber accountName sAMAccountName lastName sn officePhone telephoneNumber jobTitle title userAccountControl userAccountControl domain CustomExpression(IIF(Eq(Left(ConvertSidToString(objectSid),40),"S-1-5-21-897455486-4218859501-3692190882"),"VCCTEST","Unknown")) Initial Outbound Attribute Flows Allow Nulls Destination Source false msExchHideFromAddressLists Constant: true false dn +("CN=",accountName,",OU=",employeeType,"s,OU=User Accounts,DC=vcctest,DC=ca") Persistent Outbound Attribute Flows Allow Nulls Destination Source false sAMAccountName accountName false employeeType BannerPersonType false displayName displayName false mail email false employeeID employeeID false givenName firstName false sn lastName true employeeNumber BannerBarCode true extensionName BannerIDStatus true houseIdentifier BannerVirtualPin true department Mid(department,1,64) true title jobTitle true middleName middleName true roomNumber officeLocation true telephoneNumber officePhone false userPrincipalName +(accountName,"@vcctest.ca") false unicodePwd BannerDefaultPassword false pwdLastSet Constant: 0 false userAccountControl CustomExpression(IIF(Eq(BannerExpiryFlag,"Y"),BitOr(2,userAccountControl),BitAnd(9223372036854775805,userAccountControl)))

I have a hunch – is your problem by chance that all accounts end initially up as disabled accounts? The problem is that you have a bit operation that includes uAC; however, during provisioning uAC doesn’t have a value yet. I don’t have time to test this right now, but I’m curious to see what the your configuration actually stages for uAC in case of a newly provisioned account. To address this, an additional test is needed in the custom expression that checks whether uAC has a value in the metaverse: If IsPresent(MV.uAC) Then Do the bit operation Else Assign static value (512/514) End if Does this make sense? Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Markus, I know what you are saying. I can't remember but I think it throws an error on new accounts since the userAccountControl has not been populated to the MV. The following is the rule I have in my production environment which is not working. IIF( If I was to take out Bit operations and just hardcode it to the respective values it works fine. I can change it back and forth. IIF(BannerExpiryFlag,514,512) BannerExpiryFlag,CustomExpression(IIF(IsPresent(userAccountControl),BitOr(2,userAccountControl),514)),CustomExpression(IIF(IsPresent(userAccountControl),BitAnd(-3,userAccountControl),512)))

Hi... take a look at http://social.technet.microsoft.com/Forums/en/ilm2/thread/326714af-9e6e-4821-8c24-3fad32ac7ce6 ... Are you flowing useraccountcontrol in your FIM MA? Cheers,***** Paulo H. Campos - So Paulo/Brasil ***** http://identitypedia.blogspot.com (in PT-BR)

Sorry, totally forgot to update the resolution for this. Yes, userAccountControl is being flowed into the FIM MA. I ended up contacting TAS for help. The simple resolution was to set "Use equal precedence" for the userAccountControl attribute which makes sense now. The Metaverse Designer is very confusing because it only show the Import flow which only showed 1 connection for the attribute so I didn't think it needed to be set to "Use equal precedence".