Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD Connector set account expires and logon denied in disable account and turn off for enable

aundreb
Regular Contributor II
Regular Contributor II

‎02/15/2023 05:47 AM

Hello,

Is it possible to set the active directory account expires to current date and login denied in the disableaccountjson for the AD connector? Similarly in the enableaccountjson would it be possible to change these to logon permitted and account never expires? If so what would the syntax look like?

Screenshots for reference

aundreb_0-1676468345258.png

aundreb_1-1676468365476.png

 

Labels:
0 Kudos
18 REPLIES 18

SB
Saviynt Employee
Saviynt Employee

‎02/15/2023 10:42 AM

In order to set the accountexpires as Current date you can use

${Calendar.getInstance().getTime().format('yyyyMMddHHmmss')}Z

For login denied - can you try to pass the value as 0 and

for logon permitted try to pass the value as 1.


Regards,
Sahil
0 Kudos

aundreb
Regular Contributor II
Regular Contributor II
In response to SB

‎02/17/2023 07:25 AM

Hi Sahil,

Was the "Z" in your current date method there a typo? I ask because when I tried it I got the below error.

aundreb_0-1676647477019.png

 

Disable account JSON looks like the below

{
"userAccountControl": "514",
"description": "",
"accountExpires": "${Calendar.getInstance().getTime().format('yyyyMMddHHmmss')}Z",
"logonHours": "00000000000000000000"
}

 

0 Kudos

SB
Saviynt Employee
Saviynt Employee
In response to aundreb

‎02/17/2023 10:02 AM

Apologies for the typo, can you remove the Z and then validate.


Regards,
Sahil
0 Kudos

rushikeshvartak
All-Star
All-Star
In response to aundreb

‎02/19/2023 11:05 PM 

"accountExpires": "${Calendar.getInstance().getTime().format('yyyyMMddHHmmss')}"

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

aundreb
Regular Contributor II
Regular Contributor II

‎02/21/2023 06:56 AM

So the account expires looks to work but I am getting a completely different date than the current date. See below screenshot. Is there another way to get current date in Saviynt in a way that Active Directory will view it as today's date?

aundreb_0-1676991228018.png

Also, the "logonHours": "00000000000000000000" doesn't seem to work for setting the value to logon denied. Does anyone know the correct way to set this attribute?

 

 

 

0 Kudos

SB
Saviynt Employee
Saviynt Employee
In response to aundreb

‎02/21/2023 08:42 AM

Ideally the previous shared should have worked but can you try with the format ${(new Date()).format('yyyyMMddHHmmss')}

And for logon hours, please try the value as '0'. Also, do ensure the attribute name for AD you are using is the correct one.


Regards,
Sahil
0 Kudos

aundreb
Regular Contributor II
Regular Contributor II
In response to SB

‎02/22/2023 07:16 AM

The logonHours is the correct name for the attribute in AD. Unfortunately 0 does not work as the value seems to require a Hexadecimal value. I tried "0000000000000000000000" , "000000000000000000000000000000000000000000000000000000000000000000000000", and "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" the base64 string representation as well which did not work.

aundreb_0-1677077923810.png

Not sure what else to try or if anyone else has gotten this to work from Saviynt end.

Getting the below error.

 

aundreb_1-1677078950027.png

 

 

 

0 Kudos

SB
Saviynt Employee
Saviynt Employee
In response to aundreb

‎02/22/2023 12:45 PM

I have not used or seen anyone using this field before, unfortunately. But once the account is disabled the logon hours should not even matter as the User will not be able to login.

P.S: I hope the syntax to get the time format worked.


Regards,
Sahil
0 Kudos

aundreb
Regular Contributor II
Regular Contributor II

‎02/23/2023 06:04 AM

The time format is still giving the incorrect date for disabling.

aundreb_0-1677160992552.png

The reason my client wants the logonHours is so that if an account is enabled in Active Directory itself and not from ISIM the user still would not be able to login if login denied is set.

 

0 Kudos

SB
Saviynt Employee
Saviynt Employee
In response to aundreb

‎02/27/2023 08:54 AM - edited ‎02/27/2023 09:01 AM

I checked this and currently setting the value for logonHours is not supported. 

Though this functionality is already in the future Road map. The product team would work on it and it would be available in next suitable release.


Regards,
Sahil
0 Kudos

aundreb
Regular Contributor II
Regular Contributor II
In response to SB

‎03/01/2023 08:34 AM

Thanks. Do you have any further details on the proper way to send accountExpires? I saw another thread that didn't get resolved someone trying the below.

"accountExpires": "${(Calendar.getInstance().getTime() + 11644473600000) * 10000 }"

 

but for me this threw the error 

{"log":"groovy.lang.MissingMethodException: No signature of method: java.util.Date.plus() is applicable for argument types: (java.lang.Long) values:

 

Thanks,

Aundre

 

0 Kudos

SB
Saviynt Employee
Saviynt Employee
In response to aundreb

‎03/03/2023 08:12 AM

Can you confirm the app version you are testing on.


Regards,
Sahil
0 Kudos

aundreb
Regular Contributor II
Regular Contributor II

‎03/03/2023 08:28 AM

5.5 SP3

0 Kudos

SB
Saviynt Employee
Saviynt Employee
In response to aundreb

‎03/03/2023 08:51 AM

is it 3.11 or a lower version or any other.


Regards,
Sahil
0 Kudos

aundreb
Regular Contributor II
Regular Contributor II
In response to SB

‎03/03/2023 08:53 AM

Its 3.16 now, as of this week I believe since the client upgraded. I can't remember what it was before but probably 3.11 or lower when I was testing it.

0 Kudos

SB
Saviynt Employee
Saviynt Employee
In response to aundreb

‎03/03/2023 09:15 AM

Can you try with this in that case (Z is included)

${Calendar.getInstance().getTime().format('yyyyMMddHHmmss')}Z

${(new Date()).format('yyyyMMddHHmmss')} worked until 3.11 I believe and after that the New keyword was restricted to be used.

Post 3.11, ${Calendar.getInstance().getTime().format('yyyyMMddHHmmss')}Z this worked for me.

 


Regards,
Sahil
0 Kudos

aundreb
Regular Contributor II
Regular Contributor II
In response to SB

‎03/06/2023 06:19 AM

This still didn't work for me. Error is below.

aundreb_0-1678112225825.png

My json looks like this. 

{
"userAccountControl": "514",
"description": "",
"accountExpires": "${Calendar.getInstance().getTime().format('yyyyMMddHHmmss')}Z"
}

 

0 Kudos

SB
Saviynt Employee
Saviynt Employee
In response to aundreb

‎04/06/2023 01:04 PM

 ${Calendar.getInstance().getTime().format('yyyyMMddHHmmss')}Z  - this should have worked. In case it did not, can you create a ticket with support team to check further.


Regards,
Sahil
0 Kudos
Copyright © 2024 Khoros, LLC