locked
Flowing msds-useraccountdisabled attribute

    Question

  • Our customer uses AD as its authoritative source for user accounts.  Accounts are provisioned to ADAM for use with various applications.  If a user account is disabled in AD, we want to disable the account in ADAM.  The msds-useraccountdisabled attribute is not listed in our AD Import MA list of attributes, but is listed in the ADAM Export MA list of attributes.

    Is there a way to do an attribute flow to disable accounts in ADAM when they are disabled in AD?

    Thanks,

    Jeffrey Harris

    Thursday, January 18, 2007 8:12 PM

Answers

  • Some flow rule extension example code.

    Const UF_ACCOUNTDISABLE = &H2
            Const UF_NORMAL_ACCOUNT = &H200
            Const UF_PASSWD_NOTREQD = &H20
            Const UF_DONT_EXPIRE_PASSWD = &H10000
           
            'Filter the BOOLEAN values out of the UserAccountControl (HEX) LONG values
            Select Case FlowRuleName.ToLower
                Case "msDS-UserAccountDisabled".ToLower
                    mventry("msDS-UserAccountDisabled").Value = (csentry("userAccountControl").IntegerValue And UF_ACCOUNTDISABLE) = UF_ACCOUNTDISABLE

                Case "msDS-UserDontExpirePassword".ToLower
                    mventry("msDS-UserDontExpirePassword").Value = (csentry("userAccountControl").IntegerValue And UF_DONT_EXPIRE_PASSWD) = UF_DONT_EXPIRE_PASSWD

                Case "ms-DS-UserPasswordNotRequired".ToLower
                    mventry("ms-DS-UserPasswordNotRequired").Value = (csentry("userAccountControl").IntegerValue And UF_PASSWD_NOTREQD) = UF_PASSWD_NOTREQD
         Case Else
                    ' TODO: remove the following statement and add your default script here
                    Throw New EntryPointNotImplementedException

            End Select

    Friday, January 19, 2007 11:58 AM

All replies

  • Yes import the AD's userAccountControl into the MV (you'll probably need to create a new MV attribute unless you already created one for this)

    Then do an advanced export flow on the MV userAccountControl to the msds-useraccountdisabled attribute.

    BTW the userAccountControl is a bitmap and bit 2 indicates if an account is disabled or not

    (see http://support.microsoft.com/default.aspx/kb/305144)

     

    Thursday, January 18, 2007 10:25 PM
  • Some flow rule extension example code.

    Const UF_ACCOUNTDISABLE = &H2
            Const UF_NORMAL_ACCOUNT = &H200
            Const UF_PASSWD_NOTREQD = &H20
            Const UF_DONT_EXPIRE_PASSWD = &H10000
           
            'Filter the BOOLEAN values out of the UserAccountControl (HEX) LONG values
            Select Case FlowRuleName.ToLower
                Case "msDS-UserAccountDisabled".ToLower
                    mventry("msDS-UserAccountDisabled").Value = (csentry("userAccountControl").IntegerValue And UF_ACCOUNTDISABLE) = UF_ACCOUNTDISABLE

                Case "msDS-UserDontExpirePassword".ToLower
                    mventry("msDS-UserDontExpirePassword").Value = (csentry("userAccountControl").IntegerValue And UF_DONT_EXPIRE_PASSWD) = UF_DONT_EXPIRE_PASSWD

                Case "ms-DS-UserPasswordNotRequired".ToLower
                    mventry("ms-DS-UserPasswordNotRequired").Value = (csentry("userAccountControl").IntegerValue And UF_PASSWD_NOTREQD) = UF_PASSWD_NOTREQD
         Case Else
                    ' TODO: remove the following statement and add your default script here
                    Throw New EntryPointNotImplementedException

            End Select

    Friday, January 19, 2007 11:58 AM
  • Jeffry,

    this weblink explains the differences between AD and ADAM userAccountControl

    http://msdn2.microsoft.com/en-us/library/aa772124.aspx

    Best regards,
    Peter

    Friday, January 19, 2007 12:00 PM
  • Hi All,

    I am currently trying out few java code examples on user-account with MS-ADAM. Initially, it was very tiresome to figureout how to control the account & atlast I succeeded. But, I am still left with a complaint against my favourite documentation team - the microsoft documentation team.  The kind of documentation provided by them is very insufficient and non-productive.  The user attributes were not explained in detail especially the ones controlling useraccountcontrol - computed.

    I request them to put sufficient and sensible information so that it helps the developers and others to quickly understand and become productive. For example this site: http://msdn2.microsoft.com/en-gb/library/ms677837.aspx  lists the attributes but hardly they make any sense for a novice programmer like me. If the site restricts elaboration then they can have few links mentioned that details about the information in question.

    Regards,

     

     

     

    Thursday, February 22, 2007 10:06 AM