Hi I have a Problem with the correct flow rules for my UserAccountControl Attribute in AD. I want to disable/enable an Account based on attribute AccontDisabled. For that the CustomExpression is easy. IIF(AccountDisabled, IIF(IsPresent(userAccountControl),BitOr(2,userAccountControl),514), IIF(IsPresent(userAccountControl),BitAnd(2,userAccountControl),512) ) Now the Complex thing! i have 4 other Attributes in my connected HR System. ad_UserCannotChangePassword ad_UserPasswordNeverExpire ad_UserMustChangePasswordatNextLogon ad_UserSmartCardRequired How can i handle that? At the moment i have no idea. greets

from the MIIS era, I used to have this in AD MA 'map attributes for export' to set UserMustChangePasswordatNextLogon=true for new users Case "pwdlastset" If Not csentry.DN.ToString.Contains(ExceptionsUsersContainer) And mventry("employeeID").IsPresent Then If Not csentry("pwdLastSet").IsPresent Then csentry("pwdLastSet").Values.Add(0) End If End If same with other attributes... just create a user in AD, check options you need and compare user attributes to its original state. that's easy

Verbalhoodz, Disable a useraccount I'm not entirely sure flowing "bitand 2,useraccountcontrol" will enable the account. I was under the impression that you'd have to flow "bitand -3,useraccountcontrol" or "bitand 33554397,useraccountcontrol" to enable the account. So I think your example is wrong. As for disabling the account bitor 2,useraccountcontroll should be fine. Check http://blogs.dirteam.com/blogs/jorge/archive/2010/07/29/managing-the-useraccountcontrol-attribute-in-ad-by-fim.aspx ad_UserMustChangePasswordatNextLogon Evgeniy is right, check http://msdn.microsoft.com/en-us/library/aa746510(VS.85).aspx ad_UserCannotChangePassword That's harder, in Active Directory "user cannot change password" is handled by ACL's on the user object. I have no experience handling security on user objects through FIM (rules extensions?) ad_UserPasswordNeverExpire, ad_UserSmartCardRequired Check http://support.microsoft.com/default.aspx?scid=kb;en-us;305144 Peter has a nice useraccountcontrol calculator on his blog, it's referenced in this post: http://identityunderground.wordpress.com/2007/11/30/miis-and-ad-useraccountcontrol/ http://setspn.blogspot.com

Using FIM to enable or disable accounts in Active Directory. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

@Thomas: Yes my example was wrong. The correct flow is "bitand -3,useraccountcontrol" For enable and disable the Account it works but if i have other attributes like pwneverexpires and so on. how can i put this in a CustomExpression Flow Rule. With the Following Rule it don't enable the Account if it were disabled before and the PWNeverExpires Attribute is True. And i must also be implement the SmartCard Required Attribute. I don't know if that is possible. Can i Combine the IIF's in a AND Operation. Like. IF AccountDisabled=False AND PWNERVERExpires=True and SmartCardRequired=True then Set UserAccountControl to XYZ. IIF(AccountDisabled, IIF(IsPresent(userAccountControl),BitOr(2,userAccountControl),514), IIF(ad_UserPasswordNeverExpire, IIF(IsPresent(userAccountControl),BitOr(65536,userAccountControl),66050), IIF(IsPresent(userAccountControl),BitAnd(-3,userAccountControl),512) ) ) Cheers

@Thomas: Yes my example was wrong. The correct flow is "bitand -3,useraccountcontrol" For enable and disable the Account it works but if i have other attributes like pwneverexpires and so on. how can i put this in a CustomExpression Flow Rule. With the Following Rule it don't enable the Account if it were disabled before and the PWNeverExpires Attribute is True. And i must also be implement the SmartCard Required Attribute. I don't know if that is possible. Can i Combine the IIF's in a AND Operation. Like. IF AccountDisabled=False AND PWNERVERExpires=True and SmartCardRequired=True then Set UserAccountControl to XYZ. IIF(AccountDisabled, IIF(IsPresent(userAccountControl),BitOr(2,userAccountControl),514), IIF(ad_UserPasswordNeverExpire, IIF(IsPresent(userAccountControl),BitOr(65536,userAccountControl),66050), IIF(IsPresent(userAccountControl),BitAnd(-3,userAccountControl),512) ) ) Cheers

Okay! now i have a solution for 2 Attributes (Enable/disabled and NeverExpires True/False) Yeah. ;-) cool. But with the third one it always print a error Message that my Filter was not okay. IIF(AccountDisabled, IIF(ad_UserPasswordNeverExpire, IIF(IsPresent(userAccountControl),BitOr(65538,userAccountControl),514), IIF(IsPresent(userAccountControl),BitOr(2,BitAnd(9223372036854710271,userAccountControl)),514) ), IIF(ad_UserPasswordNeverExpire, IIF(IsPresent(userAccountControl),BitOr(65536,BitAnd(33554397,userAccountControl)),66048), IIF(IsPresent(userAccountControl),BitAnd(9223372036854710269,userAccountControl),512) ) ) This Filter print me an error Message. Hope someone in this World can help me ;-) IIF(AccountDisabled, IIF(ad_UserPasswordNeverExpire, IIF(ad_UserSmartCardRequired, IIF(IsPresent(userAccountControl),BitOr(65538,userAccountControl),514), IIF(IsPresent(userAccountControl),BitOr(2,BitAnd(9223372036854710271,userAccountControl)),514) ), IIF(ad_UserSmartCardRequired, IIF(IsPresent(userAccountControl),BitOr(65538,userAccountControl),514), IIF(IsPresent(userAccountControl),BitOr(2,BitAnd(9223372036854710271,userAccountControl)),514) ), ), IIF(ad_UserPasswordNeverExpire, IIF(IsPresent(userAccountControl),BitOr(65536,BitAnd(33554397,userAccountControl)),66048), IIF(IsPresent(userAccountControl),BitAnd(9223372036854710269,userAccountControl),512) ) ) Cheers

Having this much nesting might be difficult to understand a month later... But I'm not really sure how other possibilities like a custom workflow could be a better solution here. Either way, as to your error: are you sure that "ad_UserSmartCardCrequired" is actually checked as an attribute of interest in the MA config? The IIF nesting seems ok to me.http://setspn.blogspot.com