Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/18/2022 01:28 PM
Is there a way to expire a ad account when a person is terminated without disabling the user?
I was able to partially figure out a way to expire a account but it still disables the user by going into the RemoveAccountjson in the ad connector and adding this:
{
"removeAction": "SUSPEND",
"deleteAllGroups": "No",
"userAccountControl": "514",
"accountExpires": "${(10000 * (user.termDate.getTime() + 11644387200000)) }"
}
but this execution would only work with userAccountControl set to 514 which is Disable. If i try to remove this line the WSTRY fails and the ad account wont get expired.
05/18/2022 02:16 PM
Perhaps, you could try utilizing the DISABLEACCOUNTJSON rather than REMOVEACCOUNTACTION and then try ?
Regards,
Avinash Chhetri
05/19/2022 11:19 AM
It seems to give me the same problem. It doesn't like not having the "userAccountControl": "514", command but if I leave that command in it disables the user.
05/20/2022 09:19 AM
Do you see specific errors ? Any logs that you can share when you dont have the userAccountControl in the JSON ? IS Saviynt auto setting the userAccountControl to 514 ?
05/19/2022 12:18 PM
How about passing this?
"userAccountControl": "512"
512 denotes NORMAL_ACCOUNT -https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-...
05/19/2022 12:33 PM
I just tried 512 and it doesnt seem to have worked. It just added 1 to the number of tries for provisioning but the job itself is marked as a success.
05/19/2022 01:40 PM
You actually don't want to disable the account in AD. In that case, why you have to use REMOVEACCOUNTACTION or DISABLEACCOUNTJSON.
Try using update account as action for your AD app in update rules when a person gets terminated and pass accountExpires logic in your UPDATEACCOUNTJSON. This way when you detect the user is terminated via imports, update account task for AD will get created & it will set the account expiry date.
"accountExpires": "${(10000 * (user.termDate.getTime() + 11644387200000)) }"