Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Expiring an AD account when user is terminated from a HR Feed

Pqiu
New Contributor
New Contributor

‎05/18/2022 01:28 PM

Is there a way to expire a ad account when a person is terminated without disabling the user?

I was able to partially figure out a way to expire a account but it still disables the user by going into the RemoveAccountjson in the ad connector and adding this:

{
"removeAction": "SUSPEND",
"deleteAllGroups": "No",
"userAccountControl": "514",
"accountExpires": "${(10000 * (user.termDate.getTime() + 11644387200000)) }"
}

but this execution would only work with userAccountControl set to 514 which is Disable. If i try to remove this line the WSTRY fails and the ad account wont get expired.

 

Labels:
0 Kudos
6 REPLIES 6

avinashchhetri
Saviynt Employee
Saviynt Employee

‎05/18/2022 02:16 PM

Perhaps, you could try utilizing the DISABLEACCOUNTJSON rather than REMOVEACCOUNTACTION and then try ?

 

Regards,

Avinash Chhetri

Regards,
Avinash Chhetri
0 Kudos

Pqiu
New Contributor
New Contributor

‎05/19/2022 11:19 AM

It seems to give me the same problem. It doesn't like not having the "userAccountControl": "514", command but if I leave that command in it disables the user.

0 Kudos

avinashchhetri
Saviynt Employee
Saviynt Employee
In response to Pqiu

‎05/20/2022 09:19 AM

Do you see specific errors ? Any logs that you can share when you dont have the userAccountControl in the JSON ? IS Saviynt auto setting the userAccountControl to 514 ?

Regards,
Avinash Chhetri
0 Kudos

Sivagami
Valued Contributor
Valued Contributor

‎05/19/2022 12:18 PM

How about passing this?

"userAccountControl": "512"

512 denotes NORMAL_ACCOUNT -https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-...

 

0 Kudos

Pqiu
New Contributor
New Contributor

‎05/19/2022 12:33 PM

I just tried 512 and it doesnt seem to have worked. It just added 1 to the number of tries for provisioning but the job itself is marked as a success. 

0 Kudos

Sivagami
Valued Contributor
Valued Contributor

‎05/19/2022 01:40 PM

You actually don't want to disable the account in AD. In that case, why you have to use REMOVEACCOUNTACTION or  DISABLEACCOUNTJSON.

Try using update account as action for your AD app in update rules when a person gets terminated and pass accountExpires logic in your UPDATEACCOUNTJSON. This way when you detect the user is terminated via imports, update account task for AD will get created & it will set the account expiry date. 

"accountExpires": "${(10000 * (user.termDate.getTime() + 11644387200000)) }"

 

0 Kudos
Copyright © 2024 Khoros, LLC