none
Accounts are being created as Disabled in Active Directory even with 512 in user control account value RRS feed

  • Question

  • Hi All,

    Greetings! I am facing this issues since from last three days. All of my accounts that are being provisioned from MIM to Active Directory are created as disabled accounts in Active Directory. Even I am passing 512 to UserControlAccount attribute. 

    Below are the stats of AD MA Export for one record. Now when I see in AD, this account is marked as disabled.

    Kindly help me and guide me in this regard.

    


    F.

    Wednesday, June 27, 2018 6:36 AM

Answers

  • Hi,

    It's could be due to password issue

    Are you provisioning the user with password (unicodePwd)

    Look also for export errors in MIM Sync


    Patrick Layani

    • Marked as answer by Fahaad Majeed Wednesday, July 4, 2018 11:09 AM
    Wednesday, June 27, 2018 7:42 AM
  • Hi,

    did you set an initial Password on those accounts, because the account cannot be enabled with an empty Password ?

    But in that Case there should be some error message on the MA.

    Did the value really flow to AD on Export ?

    Check also the precedence on that Attribute could be that the value flows in from AD

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Fahaad Majeed Wednesday, July 4, 2018 11:08 AM
    Wednesday, June 27, 2018 7:43 AM
  • In case your provisioning logic is generating a random password your passwords might not fullfil a (strict/fine-grained) password policy in Active Directory. Best to check what the AD policy enforces and change your logic accordingly. If you are provisioning a user without a random password, AD will disable the object (514).

    Note that password set/reset operation require Kerberos functioning correctly with DNS (SRV records) and ports like 88 and 464. So if all seems to be OK but it is still not working, check your Kerberos configuration through the whole solution etc. Best of luck :-)


    Danny Alvares, Senior Technology Consultant

    • Marked as answer by Fahaad Majeed Wednesday, July 4, 2018 11:08 AM
    Wednesday, June 27, 2018 2:14 PM

All replies

  • This is the screen shot of AD.


    F.

    Wednesday, June 27, 2018 6:52 AM
  • Hi,

    It's could be due to password issue

    Are you provisioning the user with password (unicodePwd)

    Look also for export errors in MIM Sync


    Patrick Layani

    • Marked as answer by Fahaad Majeed Wednesday, July 4, 2018 11:09 AM
    Wednesday, June 27, 2018 7:42 AM
  • Hi,

    did you set an initial Password on those accounts, because the account cannot be enabled with an empty Password ?

    But in that Case there should be some error message on the MA.

    Did the value really flow to AD on Export ?

    Check also the precedence on that Attribute could be that the value flows in from AD

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by Fahaad Majeed Wednesday, July 4, 2018 11:08 AM
    Wednesday, June 27, 2018 7:43 AM
  • In case your provisioning logic is generating a random password your passwords might not fullfil a (strict/fine-grained) password policy in Active Directory. Best to check what the AD policy enforces and change your logic accordingly. If you are provisioning a user without a random password, AD will disable the object (514).

    Note that password set/reset operation require Kerberos functioning correctly with DNS (SRV records) and ports like 88 and 464. So if all seems to be OK but it is still not working, check your Kerberos configuration through the whole solution etc. Best of luck :-)


    Danny Alvares, Senior Technology Consultant

    • Marked as answer by Fahaad Majeed Wednesday, July 4, 2018 11:08 AM
    Wednesday, June 27, 2018 2:14 PM