userAccountControl and EmployeeStatus
I'd recommend treating the values as what they are, a bit vector. Have a look at http://social.technet.microsoft.com/wiki/contents/articles/how-to-enable-or-disable-accounts-in-active-directory-domain-service-using-fim.aspx which explains it nicely and has some attribute flow examples. BR Tobias
October 4th, 2012 7:14am

I'd recommend treating the values as what they are, a bit vector. Have a look at http://social.technet.microsoft.com/wiki/contents/articles/how-to-enable-or-disable-accounts-in-active-directory-domain-service-using-fim.aspx which explains it nicely and has some attribute flow examples. BR Tobias
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2012 5:57am

Hi, I have seen guidance on how to configure 'employeeStatus' in the FIM Portal, and translate it to the correct 'userAccountControl' value in AD (e.g. 512,514) However, how would I do this in reverse? Here is my thinking 'userAccountControl' can have these values: 512 Enabled Account 514 Disabled Account 544 Enabled, Password Not Required 546 Disabled, Password Not Required 66048 Enabled, Password Doesn't Expire 66050 Disabled, Password Doesn't Expire 66080 Enabled, Password Doesn't Expire & Not Required 66082 Disabled, Password Doesn't Expire & Not Required 262656 Enabled, Smartcard Required 262658 Disabled, Smartcard Required 262688 Enabled, Smartcard Required, Password Not Required 262690 Disabled, Smartcard Required, Password Not Required 328192 Enabled, Smartcard Required, Password Doesn't Expire 328194 Disabled, Smartcard Required, Password Doesn't Expire 328224 Enabled, Smartcard Required, Password Doesn't Expire & Not Required 328226 Disabled, Smartcard Required, Password Doesn't Expire & Not Required So do I simply write up a multiple IIF statement? IIF(CustomExpression(Eq(userAccountControl,"66048")),"active","disabled") -> employeeStatus How do I repeat this for all the other values in one long Custom Expression? IIF(Eq(userAccountControl,512),"active"),IIF(Eq(userAccountControl,66048),"active") ,"disabled")) ??? Thank you
October 8th, 2012 1:15am

On Thu, 4 Oct 2012 05:40:43 +0000, S.Kwan wrote: Hi, I have seen guidance on how to configure 'employeeStatus' in the FIM Portal, and translate it to the correct 'userAccountControl' value in AD (e.g. 512,514) However, how would I do this in reverse? How do I translate an existing AD 'userAccountControl' value to a FIM Portal 'employeeStatus' of "active" / "disabled"? http://social.technet.microsoft.com/forums/en-US/identitylifecyclemanager/thread/0b06ed85-69f5-4cdf-811f-b555c49e21b0/ http://www.netvision.com/ad_useraccountcontrol.php Paul Adare MVP - Forefront Identity Manager http://www.identit.ca f u cn rd ths, u cn gt a gd jb n cmptr prgrmmng.
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2012 4:03am

Thanks Paul - your URLs point to a solution using custom code - is there anyway of achieving this by simply using codeless provisioning in the Portal? I was thinking of having multiple IF statements evaluating the multiple 'Numbers' on the Inbound Attribute Flow. Thank you
October 8th, 2012 4:54am

so do you guys think this is not an option? if useraccountcontrol = 512, 'active' if useraccountcontrol = 544, 'active' if useraccountcontrol = 66048, 'active' else 'disabled' --> employeeStatus
Free Windows Admin Tool Kit Click here and download it now
October 10th, 2012 12:07am

Hi, You can use it as a simple way. Create different sets and on the basis of those sets run MPRs, Regards,M. Irfan
October 10th, 2012 5:15am

so do you guys think this is not an option? if useraccountcontrol = 512, 'active' if useraccountcontrol = 544, 'active' if useraccountcontrol = 66048, 'active' else 'disabled' --> employeeStatus No. The attribute is a bitmask. You need to check that the disabled bit isn't set using the links Tobias provided.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
Free Windows Admin Tool Kit Click here and download it now
October 10th, 2012 1:58pm

OK, so I have configured this on the AD Inbound Sync Rule: BitAnd(9223372036854775805,userAccountControl)->userAccountControl I now see 512, 66048, etc in the 'userAccountControl' attribute in the MV. I guess the next step would be to export this into the Portal, and create the relevant Set. thank you everyone!
October 12th, 2012 2:00am

so do you guys think this is not an option? if useraccountcontrol = 512, 'active' if useraccountcontrol = 544, 'active' if useraccountcontrol = 66048, 'active' else 'disabled' --> employeeStatus No. The attribute is a bitmask. You need to check that the disabled bit isn't set using the links Tobias provided.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2012 3:23pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics