userAccountControl and EmployeeStatus
I'd recommend treating the values as what they are, a bit vector. Have a look at
http://social.technet.microsoft.com/wiki/contents/articles/how-to-enable-or-disable-accounts-in-active-directory-domain-service-using-fim.aspx which explains it nicely and has some attribute flow examples.
BR
Tobias
October 4th, 2012 7:14am
I'd recommend treating the values as what they are, a bit vector. Have a look at
http://social.technet.microsoft.com/wiki/contents/articles/how-to-enable-or-disable-accounts-in-active-directory-domain-service-using-fim.aspx which explains it nicely and has some attribute flow examples.
BR
Tobias
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2012 5:57am
Hi,
I have seen guidance on how to configure 'employeeStatus' in the FIM Portal, and translate it to the correct 'userAccountControl' value in AD (e.g. 512,514)
However, how would I do this in reverse?
Here is my thinking 'userAccountControl' can have these values:
512
Enabled Account
514
Disabled Account
544
Enabled, Password Not Required
546
Disabled, Password Not Required
66048
Enabled, Password Doesn't Expire
66050
Disabled, Password Doesn't Expire
66080
Enabled, Password Doesn't Expire & Not Required
66082
Disabled, Password Doesn't Expire & Not Required
262656
Enabled, Smartcard Required
262658
Disabled, Smartcard Required
262688
Enabled, Smartcard Required, Password Not Required
262690
Disabled, Smartcard Required, Password Not Required
328192
Enabled, Smartcard Required, Password Doesn't Expire
328194
Disabled, Smartcard Required, Password Doesn't Expire
328224
Enabled, Smartcard Required, Password Doesn't Expire & Not Required
328226
Disabled, Smartcard Required, Password Doesn't Expire & Not Required
So do I simply write up a multiple IIF statement?
IIF(CustomExpression(Eq(userAccountControl,"66048")),"active","disabled") -> employeeStatus
How do I repeat this for all the other values in one long Custom Expression?
IIF(Eq(userAccountControl,512),"active"),IIF(Eq(userAccountControl,66048),"active")
,"disabled")) ???
Thank you
October 8th, 2012 1:15am
On Thu, 4 Oct 2012 05:40:43 +0000, S.Kwan wrote:
Hi,
I have seen guidance on how to configure 'employeeStatus' in the FIM Portal, and translate it to the correct 'userAccountControl' value in AD (e.g. 512,514)
However, how would I do this in reverse?
How do I translate an existing AD 'userAccountControl' value to a FIM Portal 'employeeStatus' of "active" / "disabled"?
http://social.technet.microsoft.com/forums/en-US/identitylifecyclemanager/thread/0b06ed85-69f5-4cdf-811f-b555c49e21b0/
http://www.netvision.com/ad_useraccountcontrol.php
Paul Adare
MVP - Forefront Identity Manager
http://www.identit.ca
f u cn rd ths, u cn gt a gd jb n cmptr prgrmmng.
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2012 4:03am
Thanks Paul - your URLs point to a solution using custom code - is there anyway of achieving this by simply using codeless provisioning in the Portal?
I was thinking of having multiple IF statements evaluating the multiple 'Numbers' on the Inbound Attribute Flow.
Thank you
October 8th, 2012 4:54am
so do you guys think this is not an option?
if useraccountcontrol = 512, 'active'
if useraccountcontrol = 544, 'active'
if useraccountcontrol = 66048, 'active'
else 'disabled' --> employeeStatus
Free Windows Admin Tool Kit Click here and download it now
October 10th, 2012 12:07am
Hi,
You can use it as a simple way. Create different sets and on the basis of those sets run MPRs,
Regards,M. Irfan
October 10th, 2012 5:15am
so do you guys think this is not an option?
if useraccountcontrol = 512, 'active'
if useraccountcontrol = 544, 'active'
if useraccountcontrol = 66048, 'active'
else 'disabled' --> employeeStatus
No. The attribute is a bitmask. You need to check that the disabled bit isn't set using the links Tobias provided.My Book - Active Directory, 4th Edition
My Blog - www.briandesmond.com
Free Windows Admin Tool Kit Click here and download it now
October 10th, 2012 1:58pm
OK, so I have configured this on the AD Inbound Sync Rule:
BitAnd(9223372036854775805,userAccountControl)->userAccountControl
I now see 512, 66048, etc in the 'userAccountControl' attribute in the MV.
I guess the next step would be to export this into the Portal, and create the relevant Set.
thank you everyone!
October 12th, 2012 2:00am
so do you guys think this is not an option?
if useraccountcontrol = 512, 'active'
if useraccountcontrol = 544, 'active'
if useraccountcontrol = 66048, 'active'
else 'disabled' --> employeeStatus
No. The attribute is a bitmask. You need to check that the disabled bit isn't set using the links Tobias provided.My Book - Active Directory, 4th Edition
My Blog - www.briandesmond.com
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2012 3:23pm