UserAccountControl
Hi
I have a Problem with the correct flow rules for my UserAccountControl Attribute in AD.
I want to disable/enable an Account based on attribute AccontDisabled. For that the CustomExpression is easy.
IIF(AccountDisabled,
IIF(IsPresent(userAccountControl),BitOr(2,userAccountControl),514),
IIF(IsPresent(userAccountControl),BitAnd(2,userAccountControl),512)
)
Now the Complex thing! i have 4 other Attributes in my connected HR System.
ad_UserCannotChangePassword
ad_UserPasswordNeverExpire
ad_UserMustChangePasswordatNextLogon
ad_UserSmartCardRequired
How can i handle that? At the moment i have no idea.
greets
December 27th, 2010 11:08am
from the MIIS era, I used to have this in AD MA 'map attributes for export' to set UserMustChangePasswordatNextLogon=true for new
users
Case "pwdlastset"
If Not csentry.DN.ToString.Contains(ExceptionsUsersContainer) And mventry("employeeID").IsPresent Then
If Not csentry("pwdLastSet").IsPresent Then
csentry("pwdLastSet").Values.Add(0)
End If
End If
same with other attributes... just create a user in AD, check options you need and compare user attributes to its original state. that's easy
Free Windows Admin Tool Kit Click here and download it now
December 27th, 2010 11:17am
Verbalhoodz,
Disable a useraccount
I'm not entirely sure flowing "bitand 2,useraccountcontrol" will enable the account. I was under the impression that you'd have to flow "bitand -3,useraccountcontrol" or "bitand 33554397,useraccountcontrol" to enable the account.
So I think your example is wrong.
As for disabling the account bitor 2,useraccountcontroll should be fine.
Check
http://blogs.dirteam.com/blogs/jorge/archive/2010/07/29/managing-the-useraccountcontrol-attribute-in-ad-by-fim.aspx
ad_UserMustChangePasswordatNextLogon
Evgeniy is right, check
http://msdn.microsoft.com/en-us/library/aa746510(VS.85).aspx
ad_UserCannotChangePassword
That's harder, in Active Directory "user cannot change password" is handled by ACL's on the user object. I have no experience handling security on user objects through FIM (rules extensions?)
ad_UserPasswordNeverExpire, ad_UserSmartCardRequired
Check
http://support.microsoft.com/default.aspx?scid=kb;en-us;305144
Peter has a nice useraccountcontrol calculator on his blog, it's referenced in this post:
http://identityunderground.wordpress.com/2007/11/30/miis-and-ad-useraccountcontrol/
http://setspn.blogspot.com
December 27th, 2010 11:38am
Using FIM to enable or disable accounts in Active Directory.
Cheers,
MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
December 27th, 2010 5:52pm
@Thomas: Yes my example was wrong. The correct flow is "bitand -3,useraccountcontrol"
For enable and disable the Account it works but if i have other attributes like pwneverexpires and so on. how can i put this in a CustomExpression Flow Rule. With the Following Rule it don't enable the Account if it were disabled before and the PWNeverExpires
Attribute is True. And i must also be implement the SmartCard Required Attribute. I don't know if that is possible. Can i Combine the IIF's in a AND Operation. Like. IF AccountDisabled=False AND PWNERVERExpires=True and SmartCardRequired=True then Set UserAccountControl
to XYZ.
IIF(AccountDisabled,
IIF(IsPresent(userAccountControl),BitOr(2,userAccountControl),514),
IIF(ad_UserPasswordNeverExpire,
IIF(IsPresent(userAccountControl),BitOr(65536,userAccountControl),66050),
IIF(IsPresent(userAccountControl),BitAnd(-3,userAccountControl),512)
)
)
Cheers
December 28th, 2010 5:46am
@Thomas: Yes my example was wrong. The correct flow is "bitand -3,useraccountcontrol"
For enable and disable the Account it works but if i have other attributes like pwneverexpires and so on. how can i put this in a CustomExpression Flow Rule. With the Following Rule it don't enable the Account if it were disabled before and the PWNeverExpires
Attribute is True. And i must also be implement the SmartCard Required Attribute. I don't know if that is possible. Can i Combine the IIF's in a AND Operation. Like. IF AccountDisabled=False AND PWNERVERExpires=True and SmartCardRequired=True then Set UserAccountControl
to XYZ.
IIF(AccountDisabled,
IIF(IsPresent(userAccountControl),BitOr(2,userAccountControl),514),
IIF(ad_UserPasswordNeverExpire,
IIF(IsPresent(userAccountControl),BitOr(65536,userAccountControl),66050),
IIF(IsPresent(userAccountControl),BitAnd(-3,userAccountControl),512)
)
)
Cheers
Free Windows Admin Tool Kit Click here and download it now
December 28th, 2010 5:46am
Okay! now i have a solution for 2 Attributes (Enable/disabled and NeverExpires True/False)
Yeah. ;-) cool.
But with the third one it always print a error Message that my Filter was not okay.
IIF(AccountDisabled,
IIF(ad_UserPasswordNeverExpire,
IIF(IsPresent(userAccountControl),BitOr(65538,userAccountControl),514),
IIF(IsPresent(userAccountControl),BitOr(2,BitAnd(9223372036854710271,userAccountControl)),514)
),
IIF(ad_UserPasswordNeverExpire,
IIF(IsPresent(userAccountControl),BitOr(65536,BitAnd(33554397,userAccountControl)),66048),
IIF(IsPresent(userAccountControl),BitAnd(9223372036854710269,userAccountControl),512)
)
)
This Filter print me an error Message. Hope someone in this World can help me ;-)
IIF(AccountDisabled,
IIF(ad_UserPasswordNeverExpire,
IIF(ad_UserSmartCardRequired,
IIF(IsPresent(userAccountControl),BitOr(65538,userAccountControl),514),
IIF(IsPresent(userAccountControl),BitOr(2,BitAnd(9223372036854710271,userAccountControl)),514)
),
IIF(ad_UserSmartCardRequired,
IIF(IsPresent(userAccountControl),BitOr(65538,userAccountControl),514),
IIF(IsPresent(userAccountControl),BitOr(2,BitAnd(9223372036854710271,userAccountControl)),514)
),
),
IIF(ad_UserPasswordNeverExpire,
IIF(IsPresent(userAccountControl),BitOr(65536,BitAnd(33554397,userAccountControl)),66048),
IIF(IsPresent(userAccountControl),BitAnd(9223372036854710269,userAccountControl),512)
)
)
Cheers
December 28th, 2010 7:49am
Having this much nesting might be difficult to understand a month later... But I'm not really sure how other possibilities like a custom workflow could be a better solution here.
Either way, as to your error: are you sure that "ad_UserSmartCardCrequired" is actually checked as an attribute of interest in the MA config? The IIF nesting seems ok to me.http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
December 28th, 2010 11:40am