Enabling / Disabling Active Directory Users
Hi Markus,
I'm doing something wrong! I read your article and have tried to implement this in a AD sync rule but have had no success in updating the AD userAccountControl attribute. Hardcoding the attribute to 512 or 514 works but when I try using
the BitOr and BitAnd the attribute dies not get updated correctly. I've uploaded my AD sync rule, maybe someone can see what I am doing wrong.
Synchronization Rule Configuration
Name
VCC Employee AD Sync Rule
Description
Created Time
6/19/2010
Precedence
1
Data Flow Direction
Inbound and Outbound
Dependency
Scope
Metaverse Resource Type
person
External System
ADMA
External System Resource Type
user
Relationship
Create Resource In FIM
True
Create Resource In External System
True
Enable Deprovisioning
False
Connected Object Scope
Source Attribute
Operation
Value
employeeType
EQUAL
Employee
Relationship Criteria
ILM Attribute
Data Source Attribute
accountName
sAMAccountName
Inbound Attribute Flows
Destination
Source
displayName
displayName
BannerPersonType
employeeType
firstName
givenName
middleName
middleName
msExchHideFromAddressLists
msExchHideFromAddressLists
objectSid
objectSid
officeLocation
roomNumber
accountName
sAMAccountName
lastName
sn
officePhone
telephoneNumber
jobTitle
title
userAccountControl
userAccountControl
domain
CustomExpression(IIF(Eq(Left(ConvertSidToString(objectSid),40),"S-1-5-21-897455486-4218859501-3692190882"),"VCCTEST","Unknown"))
Initial Outbound Attribute Flows
Allow Nulls
Destination
Source
false
msExchHideFromAddressLists
Constant: true
false
dn
+("CN=",accountName,",OU=",employeeType,"s,OU=User Accounts,DC=vcctest,DC=ca")
Persistent Outbound Attribute Flows
Allow Nulls
Destination
Source
false
sAMAccountName
accountName
false
employeeType
BannerPersonType
false
displayName
displayName
false
mail
email
false
employeeID
employeeID
false
givenName
firstName
false
sn
lastName
true
employeeNumber
BannerBarCode
true
extensionName
BannerIDStatus
true
houseIdentifier
BannerVirtualPin
true
department
Mid(department,1,64)
true
title
jobTitle
true
middleName
middleName
true
roomNumber
officeLocation
true
telephoneNumber
officePhone
false
userPrincipalName
+(accountName,"@vcctest.ca")
false
unicodePwd
BannerDefaultPassword
false
pwdLastSet
Constant: 0
false
userAccountControl
CustomExpression(IIF(Eq(BannerExpiryFlag,"Y"),BitOr(2,userAccountControl),BitAnd(9223372036854775805,userAccountControl)))
June 22nd, 2010 8:49pm
I have a hunch – is your problem by chance that all accounts end initially up as disabled accounts?
The problem is that you have a bit operation that includes uAC; however, during provisioning uAC doesn’t have a value yet.
I don’t have time to test this right now, but I’m curious to see what the your configuration actually stages for uAC in case of a newly provisioned account.
To address this, an additional test is needed in the custom expression that checks whether uAC has a value in the metaverse:
If IsPresent(MV.uAC) Then
Do the bit operation
Else
Assign static value (512/514)
End if
Does this make sense?
Cheers,
Markus
Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2010 12:35am
Hi Markus,
I know what you are saying. I can't remember but I think it throws an error on new accounts since the userAccountControl has not been populated to the MV. The following is the rule I have in my production environment which is not working.
IIF(
If I was to take out Bit operations and just hardcode it to the respective values it works fine. I can change it back and forth.
IIF(BannerExpiryFlag,514,512)
BannerExpiryFlag,CustomExpression(IIF(IsPresent(userAccountControl),BitOr(2,userAccountControl),514)),CustomExpression(IIF(IsPresent(userAccountControl),BitAnd(-3,userAccountControl),512)))
June 24th, 2010 2:24am
Hi...
take a look at
http://social.technet.microsoft.com/Forums/en/ilm2/thread/326714af-9e6e-4821-8c24-3fad32ac7ce6 ...
Are you flowing useraccountcontrol in your FIM MA?
Cheers,***** Paulo H. Campos - So Paulo/Brasil ***** http://identitypedia.blogspot.com (in PT-BR)
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2010 3:00am
Sorry, totally forgot to update the resolution for this. Yes, userAccountControl is being flowed into the FIM MA. I ended up contacting TAS for help. The simple resolution was to set "Use equal precedence" for the userAccountControl attribute
which makes sense now. The Metaverse Designer is very confusing because it only show the Import flow which only showed 1 connection for the attribute so I didn't think it needed to be set to "Use equal precedence".
August 17th, 2010 8:45pm