Hi, Just wondering if anyone can provide or knows of some step by step instructions to import/export current users to from the AD with their account status value so fim knows whether the account is active or not. (userAccountControl) I want to incorporate this into my live environment but want to make sure in my dev first that FIM always knows the status of an AD account so users are reactivated during sync. Ive read about bitand and bitor orperations but i few instructions on exactly what needs to be setup and (sync rules) and flow mapping configurations would be IMMENSELY helpful... Kind Regards, StuCheers Stu

You might check this out: http://blogs.dirteam.com/blogs/jorge/archive/2010/07/29/managing-the-useraccountcontrol-attribute-in-ad-by-fim.aspxhttp://setspn.blogspot.com

Have you seen Using FIM to enable or disable accounts in Active Directory yet? This should answer your question. Let me know if it doesn't. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thanks markus, a fantastic article but not quite specific enough for what im trying to achieve, i dont want to enable or disable accounts just yet i just want to import accounts with there current status..as they are already in existence in the ad (when i sync to the ad, i dont want there to be problems with accounts changed there status from disabled to enabled etc) cheers stuCheers Stu

Thanks markus, a fantastic article but not quite specific enough for what im trying to achieve, i dont want to enable or disable accounts just yet i just want to import accounts with there current status..as they are already in existence in the ad (when i sync to the ad, i dont want there to be problems with accounts changed there status from disabled to enabled etc) cheers stuCheers Stu

Not sure if you can do this 'codeless' but if you want to do it via MA Extension code, you can try If (csentry("userAccountControl").IntegerValue And 2) = 2 Then mventry("UserAccountStatus").StringValue = "disabled" Else mventry("UserAccountStatus").StringValue = "enabled" End If

Thomas, These instructions seem right however they are a bit vague...i cant seem to do the following BOLDED parts and ive added the useraccountcontrol (number) and employeestatus (string) attributes to the MV designer and in the portal schema management...please help. INSTRUCTIONS: If you want to do this using declarative flow rules (Sync Rules), then you need to the following: The attribute "employeeStatus" must be available as a string attribute in the Metaverse. The attribute "userAccountControl" must be selected to be imported from AD. The attribute "userAccountControl" must be available as a number attribute in the Metaverse. In the Portal you need an Inbound Sync Rule for the AD MA. SOURCE = userAccountControl TARGET = userAccountControl < attribute dosent appear in the list of available 'destination' attributes In the Portal you need an Outbound Sync Rule for the AD MA. For the INITIAL FLOW in the outbound sync rule you can use the following: SOURCE = IIF(Eq(employeeStatus,"Enabled"),512,514) TARGET = userAccountControl For the PERSISTENT FLOW in the outbound sync rule you can use the following: SOURCE = IIF(Eq(employeeStatus,"Enabled"),IIF(IsPresent(userAccountControl), BitAnd(33554397,userAccountControl),512),IIF(IsPresent(userAccountControl),BitOr(2,userAccountControl),514)) < throws an error "UserAccountControl is not a valid attribute" TARGET = userAccountControl Can you shed some light as to why fim wont allow me to do the above?? StuCheers Stu