Should this be a binary attribute or a string attribute or someting else? Binary makes the most sense to me but i want to be sure. Rich

Neither nor - integer. Here are more drtails about this attribute. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

UserAccountControl should be an integer. 4 bytes in specific. Within UserAccountControl each bit control a behaviour. See this MSDN article for specification on what each bit means Issam Andoni Best Regards, Issam Andoni http://zevainc.com/andoni

Hi... As you can see here in early posts, this is an attribute of type integer. If you want to use it only to enable or disable an account, you can use these functions: BITAND and BITOR. BITAND BITAND = function sets specified bits in a flag to 0. BITOR BITOR = function sets specified bits in a flag to 1. userAccountControl stores other information about the status of an account such as whether the password must be changed at next logon, if the account never expires. For example, a normal account has a value of 512 (1000000000 in binary) and a disabled account has a value of 514 (1000000010). With the functions BitAnd and BitOr, we set the second bit of the userAccountControl field as needed. See the use of the functions in a Synchronization Rule ***** Paulo H. Campos - São Paulo/Brasil *****

Paulo, for the situation in your screenshot, It is needed for userAccountControl to be added to the portal schema ?

Hi again... Yes... you'll need to select Attribute userAccountControl in your AD MA... it´s an integer attribute and you´ll need to create it in Schema and metaverse too. Cheers,***** Paulo H. Campos - So Paulo/Brasil ***** http://identitypedia.blogspot.com (in PT-BR)

I have an additional question to this, because I dont have time to try this out myself (deadline for presenting my Proof of Concept is soon). I have disable and enable account rules now, I did this with simply putting in 512/514 in useraccountcontrol (I realize this isnt the right way). Problem with this is once I disable someone, and then reenable them, it keeps flowing in that 512, enabling the account, even when it might be disabled bc of bad passwordcount or something like that. Would that be solved if I do it the propper way with the bitvalues ?