Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/05/2022 03:35 AM
The Saviynt Out-of-the-box connector only supports 5 values of userAccountControl but the AD implementations have many more values to define the status - for example - 1049088
Can someone please share the list of all possible active and inactive userAccountControl values to manually configure AD connection accounts status
08/05/2022 04:02 AM
Hi @raman ,
Are you talking about provisioning use cases? Ideally, when you wish to provision a specific type of UAC, did you try by defining userAccountControl in the CreateAccountJSON itself.
08/05/2022 04:06 AM
08/05/2022 04:09 AM
Hello, No, not the provisioning, just reconciliation. The AD accounts are marked as Inactive instead of Active while importing AD accounts, resulting in accounts missing out from the recertification campaigns
08/05/2022 04:22 AM
Add status threshold config in your connection
{
"statusAndThresholdConfig":{
"statusColumn":"customproperty30",
"activeStatus":[
"512",
"544"
],
"inactiveStatus":[
"546",
"514"
],
"deleteLinks":false,
"accountThresholdValue":1000,
"correlateInactiveAccounts":true,
"inactivateAccountsNotInFile":false,
"lockedStatusColumn":"customproperty29",
"lockedStatusMapping":{
"Locked":[
"0"
],
"Unlocked":[
"1"
]
}
}
}Possible userAccountControl values can be found in below link
08/05/2022 10:40 AM
{
"statusAndThresholdConfig":{ "statusColumn":"customproperty5",
"activeStatus":[
"512",
"544",
"2080",
"66048",
"640",
"4194816",
"66080",
"524800",
"590336",
"131584"
],
"deleteLinks":true,
"accountThresholdValue":1000, "correlateInactiveAccounts":true, "inactivateAccountsNotInFile":false
}
}
08/07/2022 10:44 PM
@raman ,
Thanks for the clarification. There is no limitation from Saviynt end regarding this. You can populate as many values as need in the STATUS_THRESHOLD_CONFIG 'activeStatus' and 'inactiveStatus' block and it will perform the status change accordingly.
The discovery of what UAC can be received during imports is something that the customer will have to help you with.
08/09/2022 08:34 AM
@rushikeshvartak The Microsoft link doesn't have all the possible values - typical Microsoft technology 🙂 but thanks anyway
@sahajranajee Yeah I understand we can configure it every time there is a new value but that is manual effort and it's time consuming. Also, the values such as 1049088 are not customer specific. So ideally there should be a complete list somewhere but thanks anyway.
08/09/2022 10:55 AM
Hi @raman ,
You are right. Ideally the list should be provided, but by Microsoft 🙂
Here is a documentation that i could find to help you with this :
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-...
1049088 = 512 + 1048576 (NORMAL_ACCOUNT + NOT_DELEGATED)