custom expression for user disable/enable in forefront identity manger 2010

    General discussion

  • hi,

    This Custom expression work fine when we create new user in hrms database table IIF(Eq(employeeStatus,"Confirm"), 512, IIF(Eq(employeeStatus,"Provision"), 512, 514))=>userAccountControl but when we modify employeeStatus column(Resined,Retired etc) value that does not work properly. all AD attribute value is update instead of AD attribute userAccountControl  does not updated value 514 please tell me where i  am wrong.

    Please help urrgent basis.


    Anil Kumar

    Monday, February 27, 2012 8:14 AM

All replies

  • Hi Anil,

    Your question is not very clear, could you please try to better explain your problem?

    The problem is that if you change "employeeStatus" the value of userAccountControl is not updated? If so, have you checked that the outbound attribute flow in the Synchronization Rule does not have the "initial flow only" checkbox checked?

    Hope this helps, 

    P.S: this is probably less urgent, but instead of the hard coded values 512 and 514 you could probably use:

    • BitOr(2,userAccountControl) instead of 514
    • BitAnd(-3,userAccountControl) instead of 512

    That will preserve the other flags in the user account control value (check

    Paolo Tedesco -

    Monday, February 27, 2012 2:49 PM
  • Thanks for your resopnes,

    We  are synchining the user information from HRMS ---->FIM--------> AD.
    In the HRMS table, there is one attributes say employeestatus. It's value are Confirmed,provision,Resigned,Retired etc. Based on the employee status, we need to enabled/disable user on AD.
    We have put the logic in the Synchronization rule as  in case of Confirmed and provision, user will be enable and  rest all the values  of employeestatus, user will be disabled on AD.
    IIF(Eq(employeeStatus,"Confirm"), 512, IIF(Eq(employeeStatus,"Provision"), 512, 514))=>userAccountControl

    Now when we modifed the  employee status from Confirmed to Retired,  useraccountControl is not updating  on the AD.
    We have unchecked the initiall flow only is unchecked in the outbound synch rule.




    Tuesday, February 28, 2012 2:36 PM
  • Thanks for your support. Its working now.



    Wednesday, February 29, 2012 12:39 PM
  • Hey Anil, What was the issue? I am facing similar problem.

    Thanks and Regards,



    Monday, June 05, 2017 7:59 AM