Hi all, I had 1500 contractors profiles in FIM 2010. They were synced with AD (windows server 2008r2). The disablement rule gets attached when the contractors LWD is reached. 500 contractors LWD got reached and they got disabled in AD. The disablement AD rule have 2 outbound attribute flow UAC<--514 (marked as existence) DN<--CN="AccountName",OU=DisabledUsers,DC=fabrikam,DC=com. "disconnect fim resource from external system when this sync rule is removed" is checked only. The disbalemebt DRE has also been attached to these 500 contractors. Now i want their user account to be 512 and moved to their OU=contractor,DC=fabrikam,DC=com. This is what i did:- Changed the employeestatus of a contractor to Yes.AD outbound rule is attached.(No intial flow as we are using provisioning rule extension for creation of accounts).Delta import and delta sync of FIM In the sync user gets renamed in AD i.e. moved from disabled to contractorBut the UAC remains 514.Even if i change the UAC to 512 in AD, in next sync it again sets to 514. I am in a fix i need to re-enable these contractors. When i remove the disablement sync rule, the user gets deleted and re- created in AD which means new mailbox. I want the users to be working as existing.Please help as the code is in production and is impacting a lot.HBB

My crystal ball might be a bit fuzzy today ... can you present how your flow for useraccountcontrol is constructed? Is this in synchronization rule defined in portal for a user? If yes - do you have ERE for this user for this rule? If yes - what is a flow definition for userAccountControl attribute there? Do you have multiple synchronization rules which control this attribute (for example one for standard and one for disabled users)? If you are not using declarative synchronization rules then this logic is in a code of rules extension - seeing this code would help us understand what might cause this issue.

I am populating the UAC in MV Rule Extension . if(0==connectors) { while(!uniqueDN) { try{ csentrye[UserAccountControl].IntegerValue=512; //other attributes } catch }} I am using 1 sync rule for setting the UAC to 514 at the time of disablement. What am i missing?HBB

I am populating the UAC in MV Rule Extension . if(0==connectors) { while(!uniqueDN) { try{ csentrye[UserAccountControl].IntegerValue=512; //other attributes } catch }} I am using 1 sync rule for setting the UAC to 514 at the time of disablement. What am i missing?HBB

My crystal ball might be a bit fuzzy today ... can you present how your flow for useraccountcontrol is constructed? Is this in synchronization rule defined in portal for a user? If yes - do you have ERE for this user for this rule? If yes - what is a flow definition for userAccountControl attribute there? Do you have multiple synchronization rules which control this attribute (for example one for standard and one for disabled users)? If you are not using declarative synchronization rules then this logic is in a code of rules extension - seeing this code would help us understand what might cause this issue. I am populating the UAC in MV Rule Extension . if(0==connectors) { while(!uniqueDN) { try{ csentrye[UserAccountControl].IntegerValue=512; //other attributes } catch }} I am using 1 sync rule for setting the UAC to 514 at the time of disablement. What am i missing? HBB

Thank you all. i was able to resolve the same by changing the deprovisioning rule in AD MA.HBB