Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

AD account is created in disabled status with userAccountControl to 546

Nmaheshwari
New Contributor II
New Contributor II

We are using AD connector and while doing provisioning, its creating account in disabled status marking userAccountControl to 546. If we are trying to pass userAccountControl:512 explicitly in CreateAccountJson, its throwing Error as "Will not perform".

We have covered below validations on our side.

1. AD service account has full privileges'.

2. Password policy follows the AD policy.

3. We have cert installed.

4. We have validated the password generated through email and it is a valid one.

Any one have faced such issue  and can help?

 

8 REPLIES 8

avinashchhetri
Saviynt Employee
Saviynt Employee

Nmaheshwari,

You cannot pass the UAC value in the createAccount JSON. That is something that AD evaluates at the time of account creation.

UAC 546 means the account is in a disabled state and the password is not required. Since this is mostly password related, here are a few pointers.

1) Do you have the URL in the connector pointing to ldaps protocol on the SSL port ?

2) Did you restart the Saviynt Application server post certificate installation ? 

3) Have you tried disabling the automated password and passing a hardcoded value using the parameter "UnicodePwd" ?

 

 

Regards,

Avinash Chhetri

Regards,
Avinash Chhetri

Hi Avnish,

We have validated all the above points what you have mentioned and tried hard coding the value for password directly in Json but it did not help. In AD password was saved as plain text and status was 546.

Thanks,

Nupur

sahajranajee
Saviynt Employee
Saviynt Employee

Hello,

If your connection is secure (636) and you have a password policy attached to your security system or at the connection level then your UAC should automatically be set as 512.

 


Regards,
Sahaj Ranajee
Sr. Product Specialist

Hi Sahaj,

Yeah we have set everything but still its creating account with 546 UAC value.

I have a password policy attached to the security system and at connector level we have set RandomPassword set to FALSE.

We tried setting the RandomPassword to TRUE but in this case it throws error at Pending task saying "Will not perform".

Thanks,

Nupur

sahajranajee
Saviynt Employee
Saviynt Employee

Hello,

Could you also check if your 'BASE' parameter is set on the connection and is valid to the provisioning scope you intend to have?

 


Regards,
Sahaj Ranajee
Sr. Product Specialist

Hi Sahaj,

Base parameter is set properly.

Thanks,

Nupur

sahajranajee
Saviynt Employee
Saviynt Employee

Hello,

This error is mostly due to incorrect password policy or an SSL connection not there or isn't secure enough.

Lets try the following and see if it helps :

1. Use Password Policy either at connection level or at Security System level and ensure its compliant to AD policy. Use email template to get the password being sent to confirm the same.

2. Ensure that the SSL connection between AD and Saviynt is 128 bit . More info :
https://docs.microsoft.com/en-US/troubleshoot/windows/win32/change-windows-active-directory-user-pas...

sahajranajee_0-1654850502353.png

 

 


Regards,
Sahaj Ranajee
Sr. Product Specialist

sahajranajee
Saviynt Employee
Saviynt Employee

Hi @Nmaheshwari ,

Was this issue resolved? Could you please share the solution for the betterment of the community here.

 


Regards,
Sahaj Ranajee
Sr. Product Specialist