none
userAccountControl and EmployeeStatus RRS feed

  • Question

  • Hi,

    I have seen guidance on how to configure 'employeeStatus' in the FIM Portal, and translate it to the correct 'userAccountControl' value in AD (e.g. 512,514)

    However, how would I do this in reverse?

    Here is my thinking 'userAccountControl' can have these values:

    512 Enabled Account
    514 Disabled Account
    544 Enabled, Password Not Required
    546 Disabled, Password Not Required
    66048 Enabled, Password Doesn't Expire
    66050 Disabled, Password Doesn't Expire
    66080 Enabled, Password Doesn't Expire & Not Required
    66082 Disabled, Password Doesn't Expire & Not Required
    262656 Enabled, Smartcard Required
    262658 Disabled, Smartcard Required
    262688 Enabled, Smartcard Required, Password Not Required
    262690 Disabled, Smartcard Required, Password Not Required
    328192 Enabled, Smartcard Required, Password Doesn't Expire
    328194 Disabled, Smartcard Required, Password Doesn't Expire
    328224 Enabled, Smartcard Required, Password Doesn't Expire & Not Required
    328226 Disabled, Smartcard Required, Password Doesn't Expire & Not Required

    So do I simply write up a multiple IIF statement?

    IIF(CustomExpression(Eq(userAccountControl,"66048")),"active","disabled") -> employeeStatus

    How do I repeat this for all the other values in one long Custom Expression?

    IIF(Eq(userAccountControl,512),"active"),IIF(Eq(userAccountControl,66048),"active")
    ,"disabled")) ???

    Thank you



    • Edited by D Wind Thursday, October 4, 2012 6:37 AM
    Thursday, October 4, 2012 5:40 AM

Answers

All replies

  • On Thu, 4 Oct 2012 05:40:43 +0000, S.Kwan wrote:

    Hi,

    I have seen guidance on how to configure 'employeeStatus' in the FIM Portal, and translate it to the correct 'userAccountControl' value in AD (e.g. 512,514)

    However, how would I do this in reverse?

    How do I translate an existing AD 'userAccountControl' value to a FIM Portal 'employeeStatus' of "active" / "disabled"?

    http://social.technet.microsoft.com/forums/en-US/identitylifecyclemanager/thread/0b06ed85-69f5-4cdf-811f-b555c49e21b0/

    http://www.netvision.com/ad_useraccountcontrol.php


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    f u cn rd ths, u cn gt a gd jb n cmptr prgrmmng.

    Thursday, October 4, 2012 8:28 AM
  • Thanks Paul - your URLs point to a solution using custom code - is there anyway of achieving this by simply using codeless provisioning in the Portal?

    I was thinking of having multiple IF statements evaluating the multiple 'Numbers' on the Inbound Attribute Flow.

    Thank you

    Thursday, October 4, 2012 9:19 AM
  • I'd recommend treating the values as what they are, a bit vector. Have a look at http://social.technet.microsoft.com/wiki/contents/articles/how-to-enable-or-disable-accounts-in-active-directory-domain-service-using-fim.aspx which explains it nicely and has some attribute flow examples.

    BR
    Tobias

    • Proposed as answer by Tobias Vilen Thursday, October 11, 2012 7:28 AM
    • Marked as answer by D Wind Friday, October 12, 2012 6:45 AM
    Thursday, October 4, 2012 11:14 AM
  • so do you guys think this is not an option?

    if useraccountcontrol = 512, 'active'

     if useraccountcontrol = 544, 'active'

       if useraccountcontrol = 66048, 'active'

        else 'disabled' --> employeeStatus

    Wednesday, October 10, 2012 4:07 AM
  • Hi,

    You can use it as a simple way. Create different sets and on the basis of those sets run MPRs,

    Regards,


    M. Irfan

    • Proposed as answer by M.Irfan Wednesday, October 10, 2012 9:15 AM
    Wednesday, October 10, 2012 9:15 AM
  • so do you guys think this is not an option?

    if useraccountcontrol = 512, 'active'

     if useraccountcontrol = 544, 'active'

       if useraccountcontrol = 66048, 'active'

        else 'disabled' --> employeeStatus


    No. The attribute is a bitmask. You need to check that the disabled bit isn't set using the links Tobias provided.

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    • Marked as answer by D Wind Friday, October 12, 2012 6:44 AM
    Wednesday, October 10, 2012 5:58 PM
    Moderator
  • OK, so I have configured this on the AD Inbound Sync Rule:

    BitAnd(9223372036854775805,userAccountControl)->userAccountControl

    I now see 512, 66048, etc in the 'userAccountControl' attribute in the MV.

    I guess the next step would be to export this into the Portal, and create the relevant Set.

    thank you everyone!



    • Edited by D Wind Friday, October 12, 2012 6:45 AM
    Friday, October 12, 2012 6:00 AM
  • Hi DWind

    The code below might help.

    with UserAccountControlAttribute (PropertyFlag,ValueHexadecimal,ValueInDecimal)
    as
    (
    	select 'SCRIPT',0x0001,1
    	union all 
    	select 'ACCOUNTDISABLE',0x0002,2	
    	union all 
    	select 'HOMEDIR_REQUIRED',0x0008,8
    	union all 
    	select 'LOCKOUT',0x0010,16
    	union all 
    	select 'PASSWD_NOTREQD',0x0020,32
    	union all 
    	select 'PASSWD_CANT_CHANGE',0x0040,64
    	union all 
    	select 'ENCRYPTED_TEXT_PWD_ALLOWED',0x0080,128
    	union all 
    	select 'TEMP_DUPLICATE_ACCOUNT',0x0100,256
    	union all 
    	select 'NORMAL_ACCOUNT',0x0200,512
    	union all 
    	select 'Disabled Account',0x0202,514
    	union all 
    	select 'Enabled, Password Not Required', 0x0220,544
    	union all 
    	select 'Disabled, Password Not Required',0x0222,546
    	union all 
    	select 'INTERDOMAIN_TRUST_ACCOUNT',0x0800,2048
    	union all 
    	select 'WORKSTATION_TRUST_ACCOUNT',0x1000,4096
    	union all 
    	select 'SERVER_TRUST_ACCOUNT',0x2000,8192
    	union all 
    	select 'DONT_EXPIRE_PASSWORD',0x10000,65536
    	union all 
    	select 'Enabled, Password Doesn’t Expire',0x10200,66048
    	union all 
    	select 'Disabled, Password Doesn’t Expire',0x10202,66050
    	union all 
    	select 'Disabled, Password Doesn’t Expire & Not Required' , 0x10222,66082
    	union all
    	select 'MNS_LOGON_ACCOUNT',0x20000,131072
    	union all 
    	select 'SMARTCARD_REQUIRED',0x40000,262144
    	union all
    	select 'Enabled, Smartcard Required',0x40200,262656
    	union all 
    	select 'Disabled, Smartcard Required',0x40202,262658
    	union all 
    	select 'Disabled, Smartcard Required, Password Not Required',0x40222,262690
    	union all
    	select 'Disabled, Smartcard Required, Password Doesn’t Expire',0x50202,328194
    	union all 
    	select 'Disabled, Smartcard Required, Password Doesn’t Expire & Not Required',0x50222,328226
    	union all 
    	select 'TRUSTED_FOR_DELEGATION',0x80000,524288
    	union all 
    	select 'Domain controller',0x82000,532480
    	union all 
    	select 'NOT_DELEGATED',0x100000,1048576
    	union all 
    	select 'USE_DES_KEY_ONLY',0x200000,2097152
    	union all 
    	select 'DONT_REQ_PREAUTH',0x400000,4194304
    	union all 
    	select 'PASSWORD_EXPIRED',0x800000,8388608
    	union all 
    	select 'TRUSTED_TO_AUTH_FOR_DELEGATION',0x1000000,16777216
    	union all 
    	select 'PARTIAL_SECRETS_ACCOUNT',0x04000000,67108864
    
    )
    
    
    
    SELECT * FROM 
    (
    
    SELECT * FROM OpenQuery ( 
      ADSI,  
      'SELECT
    		samAccountName,
    		givenname,
    		userPrincipalName, 
    		displayName, 
    		telephoneNumber, 
    		mail, 
    		mobile, 
    		facsimileTelephoneNumber,
    	
    		title,
    		userAccountControl,
    		CN
      FROM  ''LDAP://xxx.local/DC=xxx,DC=local'' 
      WHERE objectClass =  ''User''AND objectCategory=''person''  
      ') AS tblADSI
    
    ) as t1
    inner join
    	UserAccountControlAttribute at
    on
     at.ValueInDecimal=t1.userAccountControl
    	
    Best Regards


    Ricardo Lacerda

    Friday, March 3, 2017 3:41 PM