Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

active directory account status not being updated import Account Job

sampath18
Regular Contributor II
Regular Contributor II

Hi There,

In our setup we have active directory. when the account is disabled the user is moved to different OU with useraccountcontrol set as 514 and we have the following status_threshold_config json configured for reading the status.

{"statusAndThresholdConfig": {
"accountThresholdValue" : 1000,
"statusColumn":"customproperty30",
"activeStatus":["512","544","8388608"],
"inactiveStatus":["514","546"],
"inactivateAccountsNotInFile":false,
"correlateInactiveAccounts":true
}
}

 

When i run the AD accounts recon job it has updated account as inactive, although some of the users are active in AD. this is being done in our Dev environment. when user is created we are setting password expiry flag. So can you please let me know what am i doing wrong here.

Thanks

Sampath.

7 REPLIES 7

sahajranajee
Saviynt Employee
Saviynt Employee

Hi Sampath,

Are you using ObjectGUID as the reconciliation attribute for imports?

 

 


Regards,
Sahaj Ranajee
Sr. Product Specialist

sampath18
Regular Contributor II
Regular Contributor II

Hi Saharanjee,

No, we are using distinguishedName for the reconciliation filed.

But let me test it by changing in our dev instance.

Thanks for the response.

sampath18
Regular Contributor II
Regular Contributor II

I just tried mapping Objecguuid for the recon_filed and ran the Import Accounts job. This time it has set all the in scope accounts to inactive. this was same earlier as well. We are using 2020.1 version. Please let us know why this situation occurs although required mappings are exist.

Find below mapping for Account Attribute

=============

[status::userAccountControl#String,
CUSTOMPROPERTY24::employeeID#String,
CUSTOMPROPERTY1::CN#String,
CUSTOMPROPERTY2::name#String,
LASTLOGONDATE::lastLogon#millisec,
DISPLAYNAME::displayName#String,
CUSTOMPROPERTY25::company#String,
CUSTOMPROPERTY3::sn#String,
CUSTOMPROPERTY4::homeDirectory#String,
LASTPASSWORDCHANGE::pwdLastSet#millisec,
CUSTOMPROPERTY5::co#String,
CUSTOMPROPERTY6::cn#String,
CUSTOMPROPERTY7::givenName#String,
CUSTOMPROPERTY8::title#String,
CUSTOMPROPERTY9::telephoneNumber#String,
CUSTOMPROPERTY10::c#String,
DESCRIPTION::description#String,
CUSTOMPROPERTY11::uSNCreated#String,
VALIDTHROUGH::accountExpires#millisec,
CUSTOMPROPERTY13::physicalDeliveryOfficeName#String,
UPDATEDATE::whenChanged#date,
CUSTOMPROPERTY14::extensionAttribute1#String,
CUSTOMPROPERTY15::extensionAttribute2#String,
CUSTOMPROPERTY16::streetAddress#String,
CUSTOMPROPERTY17::mailNickname#String,
CUSTOMPROPERTY18::department#String,
CUSTOMPROPERTY19::countryCode#String,
NAME::sAMAccountName#String,
CUSTOMPROPERTY20::userPrincipalName#String,
CUSTOMPROPERTY21::manager#String,
CUSTOMPROPERTY22::homePhone#String,
CUSTOMPROPERTY23::mobile#String,
CREATED_ON::whenCreated#date,
ACCOUNTCLASS::objectClass#String,
customproperty26::distinguishedName#String,
RECONCILATION_FIELD::customproperty27,
CUSTOMPROPERTY27::objectGUID#Binary,
ACCOUNTID::distinguishedName#String]

=======================

sahajranajee
Saviynt Employee
Saviynt Employee

Hello,

Since you are using DN as the recon attribute and the DN can change once the account is moved, it would lead to discrepancy. Its recommended to use ObjectGUID as recon attribute.

The way to implement ObjectGUID as recon attribute would be in 2 steps:
1. Map ObjectGuid to a customproperty and import it onto Saviynt in the first import.

2. Make the custom property as the Recon attribute and then run the import again.

 


Regards,
Sahaj Ranajee
Sr. Product Specialist

sampath18
Regular Contributor II
Regular Contributor II

I have mapped it the same way. please check my last response. Tested it but issue still persist.

 

Thanks
Sampath

sahajranajee
Saviynt Employee
Saviynt Employee

Hi,

Please check your overall configuration for status changes. your accountimport mapping has useraccountcontrol mapped to status field  :


status::userAccountControl#String,

whereas your status_threshold_config has statuscolumn as 'customproperty30' as  :

{"statusAndThresholdConfig": {
"accountThresholdValue" : 1000,
"statusColumn":"customproperty30",

 

Please update the useraccesscontrol to a particular customproperty in your account import mapping and use that same column name as 'statusColumn' in STATUS_THRESHOLD_CONFIG.

Also ensure all types of active status in UAC are being marked in the activeStatus parameter.


Regards,
Sahaj Ranajee
Sr. Product Specialist

sampath18
Regular Contributor II
Regular Contributor II

Hi Sahaj,

This correction seems to work. So i have updated the mapping as below, please check and let me know if there is any issue here.

[CUSTOMPROPERTY28::userAccountControl#String,
CUSTOMPROPERTY24::employeeID#String,
CUSTOMPROPERTY1::CN#String,
CUSTOMPROPERTY2::name#String,
LASTLOGONDATE::lastLogon#millisec,
DISPLAYNAME::displayName#String,
CUSTOMPROPERTY25::company#String,
CUSTOMPROPERTY3::sn#String,
CUSTOMPROPERTY4::homeDirectory#String,
LASTPASSWORDCHANGE::pwdLastSet#millisec,
CUSTOMPROPERTY5::co#String,
CUSTOMPROPERTY6::cn#String,
CUSTOMPROPERTY7::givenName#String,
CUSTOMPROPERTY8::title#String,
CUSTOMPROPERTY9::telephoneNumber#String,
CUSTOMPROPERTY10::c#String,
DESCRIPTION::description#String,
CUSTOMPROPERTY11::uSNCreated#String,
VALIDTHROUGH::accountExpires#millisec,
CUSTOMPROPERTY13::physicalDeliveryOfficeName#String,
UPDATEDATE::whenChanged#date,
CUSTOMPROPERTY14::extensionAttribute1#String,
CUSTOMPROPERTY15::extensionAttribute2#String,
CUSTOMPROPERTY16::streetAddress#String,
CUSTOMPROPERTY17::mailNickname#String,
CUSTOMPROPERTY18::department#String,
CUSTOMPROPERTY19::countryCode#String,
NAME::sAMAccountName#String,
CUSTOMPROPERTY20::userPrincipalName#String,
CUSTOMPROPERTY21::manager#String,
CUSTOMPROPERTY22::homePhone#String,
CUSTOMPROPERTY23::mobile#String,
CREATED_ON::whenCreated#date,
ACCOUNTCLASS::objectClass#String,
customproperty26::distinguishedName#String,
RECONCILATION_FIELD::customproperty27,
CUSTOMPROPERTY27::objectGUID#Binary,
ACCOUNTID::distinguishedName#String]

 

{"statusAndThresholdConfig": {
"accountThresholdValue" : 1000,
"statusColumn":"customproperty28",
"activeStatus":["512","544","8388608"],
"inactiveStatus":["514","546"],
"inactivateAccountsNotInFile":false,
"correlateInactiveAccounts":true
}
}

 

Regards,
Sampath