This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

active directory account status not being updated import Account Job

Go to solution
sampath18
Regular Contributor
Regular Contributor

‎05-05-2022 07:37 AM

Hi There,

In our setup we have active directory. when the account is disabled the user is moved to different OU with useraccountcontrol set as 514 and we have the following status_threshold_config json configured for reading the status.

{"statusAndThresholdConfig": {
"accountThresholdValue" : 1000,
"statusColumn":"customproperty30",
"activeStatus":["512","544","8388608"],
"inactiveStatus":["514","546"],
"inactivateAccountsNotInFile":false,
"correlateInactiveAccounts":true
}
}

 

When i run the AD accounts recon job it has updated account as inactive, although some of the users are active in AD. this is being done in our Dev environment. when user is created we are setting password expiry flag. So can you please let me know what am i doing wrong here.

Thanks

Sampath.

Labels:
0 Kudos
7 REPLIES 7

Go to solution
sahajranajee
Saviynt Employee
Saviynt Employee

‎06-01-2022 11:05 PM - edited ‎06-01-2022 11:05 PM

Hi Sampath,

Are you using ObjectGUID as the reconciliation attribute for imports?

 

 


Regards,
Sahaj Ranajee
Sr. Product Specialist
0 Kudos

Go to solution
sampath18
Regular Contributor
Regular Contributor
In response to sahajranajee

‎06-02-2022 01:41 AM

Hi Saharanjee,

No, we are using distinguishedName for the reconciliation filed.

But let me test it by changing in our dev instance.

Thanks for the response.

0 Kudos

Go to solution
sampath18
Regular Contributor
Regular Contributor
In response to sampath18

‎06-02-2022 01:51 AM

I just tried mapping Objecguuid for the recon_filed and ran the Import Accounts job. This time it has set all the in scope accounts to inactive. this was same earlier as well. We are using 2020.1 version. Please let us know why this situation occurs although required mappings are exist.

Find below mapping for Account Attribute

=============

[status::userAccountControl#String,
CUSTOMPROPERTY24::employeeID#String,
CUSTOMPROPERTY1::CN#String,
CUSTOMPROPERTY2::name#String,
LASTLOGONDATE::lastLogon#millisec,
DISPLAYNAME::displayName#String,
CUSTOMPROPERTY25::company#String,
CUSTOMPROPERTY3::sn#String,
CUSTOMPROPERTY4::homeDirectory#String,
LASTPASSWORDCHANGE::pwdLastSet#millisec,
CUSTOMPROPERTY5::co#String,
CUSTOMPROPERTY6::cn#String,
CUSTOMPROPERTY7::givenName#String,
CUSTOMPROPERTY8::title#String,
CUSTOMPROPERTY9::telephoneNumber#String,
CUSTOMPROPERTY10::c#String,
DESCRIPTION::description#String,
CUSTOMPROPERTY11::uSNCreated#String,
VALIDTHROUGH::accountExpires#millisec,
CUSTOMPROPERTY13::physicalDeliveryOfficeName#String,
UPDATEDATE::whenChanged#date,
CUSTOMPROPERTY14::extensionAttribute1#String,
CUSTOMPROPERTY15::extensionAttribute2#String,
CUSTOMPROPERTY16::streetAddress#String,
CUSTOMPROPERTY17::mailNickname#String,
CUSTOMPROPERTY18::department#String,
CUSTOMPROPERTY19::countryCode#String,
NAME::sAMAccountName#String,
CUSTOMPROPERTY20::userPrincipalName#String,
CUSTOMPROPERTY21::manager#String,
CUSTOMPROPERTY22::homePhone#String,
CUSTOMPROPERTY23::mobile#String,
CREATED_ON::whenCreated#date,
ACCOUNTCLASS::objectClass#String,
customproperty26::distinguishedName#String,
RECONCILATION_FIELD::customproperty27,
CUSTOMPROPERTY27::objectGUID#Binary,
ACCOUNTID::distinguishedName#String]

=======================

0 Kudos

Go to solution
sahajranajee
Saviynt Employee
Saviynt Employee

‎06-02-2022 02:14 AM

Hello,

Since you are using DN as the recon attribute and the DN can change once the account is moved, it would lead to discrepancy. Its recommended to use ObjectGUID as recon attribute.

The way to implement ObjectGUID as recon attribute would be in 2 steps:
1. Map ObjectGuid to a customproperty and import it onto Saviynt in the first import.

2. Make the custom property as the Recon attribute and then run the import again.

 


Regards,
Sahaj Ranajee
Sr. Product Specialist
0 Kudos

Go to solution
sampath18
Regular Contributor
Regular Contributor
In response to sahajranajee

‎06-02-2022 02:24 AM

I have mapped it the same way. please check my last response. Tested it but issue still persist.

 

Thanks
Sampath

0 Kudos

Go to solution
sahajranajee
Saviynt Employee
Saviynt Employee

‎06-02-2022 02:34 AM - edited ‎06-02-2022 02:34 AM

Hi,

Please check your overall configuration for status changes. your accountimport mapping has useraccountcontrol mapped to status field  :


status::userAccountControl#String,

whereas your status_threshold_config has statuscolumn as 'customproperty30' as  :

{"statusAndThresholdConfig": {
"accountThresholdValue" : 1000,
"statusColumn":"customproperty30",

 

Please update the useraccesscontrol to a particular customproperty in your account import mapping and use that same column name as 'statusColumn' in STATUS_THRESHOLD_CONFIG.

Also ensure all types of active status in UAC are being marked in the activeStatus parameter.


Regards,
Sahaj Ranajee
Sr. Product Specialist
0 Kudos

Go to solution
sampath18
Regular Contributor
Regular Contributor

‎06-02-2022 03:32 AM

Hi Sahaj,

This correction seems to work. So i have updated the mapping as below, please check and let me know if there is any issue here.

[CUSTOMPROPERTY28::userAccountControl#String,
CUSTOMPROPERTY24::employeeID#String,
CUSTOMPROPERTY1::CN#String,
CUSTOMPROPERTY2::name#String,
LASTLOGONDATE::lastLogon#millisec,
DISPLAYNAME::displayName#String,
CUSTOMPROPERTY25::company#String,
CUSTOMPROPERTY3::sn#String,
CUSTOMPROPERTY4::homeDirectory#String,
LASTPASSWORDCHANGE::pwdLastSet#millisec,
CUSTOMPROPERTY5::co#String,
CUSTOMPROPERTY6::cn#String,
CUSTOMPROPERTY7::givenName#String,
CUSTOMPROPERTY8::title#String,
CUSTOMPROPERTY9::telephoneNumber#String,
CUSTOMPROPERTY10::c#String,
DESCRIPTION::description#String,
CUSTOMPROPERTY11::uSNCreated#String,
VALIDTHROUGH::accountExpires#millisec,
CUSTOMPROPERTY13::physicalDeliveryOfficeName#String,
UPDATEDATE::whenChanged#date,
CUSTOMPROPERTY14::extensionAttribute1#String,
CUSTOMPROPERTY15::extensionAttribute2#String,
CUSTOMPROPERTY16::streetAddress#String,
CUSTOMPROPERTY17::mailNickname#String,
CUSTOMPROPERTY18::department#String,
CUSTOMPROPERTY19::countryCode#String,
NAME::sAMAccountName#String,
CUSTOMPROPERTY20::userPrincipalName#String,
CUSTOMPROPERTY21::manager#String,
CUSTOMPROPERTY22::homePhone#String,
CUSTOMPROPERTY23::mobile#String,
CREATED_ON::whenCreated#date,
ACCOUNTCLASS::objectClass#String,
customproperty26::distinguishedName#String,
RECONCILATION_FIELD::customproperty27,
CUSTOMPROPERTY27::objectGUID#Binary,
ACCOUNTID::distinguishedName#String]

 

{"statusAndThresholdConfig": {
"accountThresholdValue" : 1000,
"statusColumn":"customproperty28",
"activeStatus":["512","544","8388608"],
"inactiveStatus":["514","546"],
"inactivateAccountsNotInFile":false,
"correlateInactiveAccounts":true
}
}

 

Regards,
Sampath

0 Kudos
Copyright © 2023 Khoros, LLC