none
Design Concepts: Using FIM to enable or disable accounts in Active Directory

All replies

  • Hello Markus,

    I am trying to use this article to update the AD synchronization rule I created using the Technet documentation for Publishing users from 2 data sources.

    The accounts are being created to the FIMObjects OU but are being provisioned disabled.

    I am unsuccessful at updating the outbound flow definition because the option to select useraccesscontrol under flag:Integer is not available.  Am I missing something?

    Thanks ahead!

    Wednesday, January 27, 2010 1:35 AM
  • You need to select the attribute in the configuration of your ADMA.

    Cheers,
    Markus
    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Wednesday, January 27, 2010 4:12 PM
    Owner
  • Hi Markus,

    First off, excellent article!

    In order for the SR to "read" the existing value, don't you also have to create an Inbound flow for userAccountControl and contribute it to the metaverse?  Since this is not there by default, it requires a schema extension for the person object in the MV.

    I could not see userAccountControl in the "Source" tab of the Outbound SR until I had added it previously through an Inbound SR.


    Brad Turner, ILM MVP - Ensynch, Inc - www.identitychaos.com
    Monday, April 12, 2010 6:17 PM
  • Thanks, Brad.
    The focus so far was just about how to set the values from a technical perspective - which means, how to set or clear the related bit.

    However, you are right, I should add a section about the complete lifecycle to the article.
    Will do this soon. 

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation
    Monday, April 12, 2010 9:31 PM
    Owner
  • Hi Markus,

    just a question about your bit mask value of '9223372036854775805'.

    I think that since FIM's integers are 64 bit signed integers and that value is positive, it has the first bit set to 0. Shouldn't the signed 64 bit integer with all bits set but the second one be -3?

    Cheers,

    Paolo


    Paolo Tedesco - http://cern.ch/idm
    Monday, April 19, 2010 11:56 AM
  • Is there any value in setting the minimum/maximum inclusive values for the new custom integer attribute - userAccountControl? Thanks.


    Anu
    Friday, May 07, 2010 5:19 PM
  • Yep, great article.  It's a bit strange that the article doesnt show what I would think that most people could use.  Get it?  "A bit Strange"  :)

    Anyway, it just my humble opinion that this would more useful if we could just provide the actual steps in the FIM UI to manipulate the userAccountControl on an OSR to AD.  I am easily confused and it just seems to me that showing how to flow this attribute into FIM would not be as useful to the general community as much as flowing the attribute in an AD OSR.

    I think Jorge's http://blogs.dirteam.com/blogs/jorge/archive/2010/07/29/managing-the-useraccountcontrol-attribute-in-ad-by-fim.aspx comes close but if you are a newbie it really is very difficult to actually set the OSR up from that.  In the TechNet documentation the examples only really show direct flows such as "userAccountControl => 514".  This is fine if we don't care about the other bits.

     

    Paul


    Paul N Smith
    Tuesday, May 24, 2011 11:15 PM