Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Set accountExpires in AD to today +90 days

frayang
New Contributor
New Contributor

Hi all,

We have a requirement for setting AD attribute accountExpires to today()+90 days while enabling a disabled account in AD.

Have you worked on it before? If so, could you share your configuration/syntax with us? Thanks

 

-Fran

8 REPLIES 8

armaanzahir
Valued Contributor
Valued Contributor

Hi @frayang 

 

Can you try the below code:

"accountExpires": "${(Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L}"

 

https://forums.saviynt.com/t5/identity-governance/account-expires-as-current-date-in-ad/m-p/40603

 

 

Regards,
Md Armaan Zahir

Raghu
Honored Contributor
Honored Contributor

@frayang  try below

"accountExpires": "${(Calendar.getInstance().apply { add(Calendar.DAY_OF_YEAR, 90); set(Calendar.HOUR_OF_DAY, 0); set(Calendar.MINUTE, 0); set(Calendar.SECOND, 0); set(Calendar.MILLISECOND, 0); }.getTimeInMillis() + 11644473600000L) * 10000L}"

 


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

Kriti
New Contributor
New Contributor

Can accountExpires attribute be updated to today + 90 days via EnableAccountJSON?

We are setting it like in EnableAccountJSON attribute : 

"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor')? (Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L : ''}

But the task is not completing giving below error

Error enabling account in ADSI: { "status": "Failure", "failedObjects": [ { "id": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '/')}", "status": "Failure", "message": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '/')} does not exist.", "messageCodes": "OBJ_ERR_MSG_00002" } ], "connectionString": "LDAP://uslas0-inf008.jacobs.com:636" }

Same is working in updateAccountJson and if accountExpires is not defined in enableAccountJSON, enable account task processes successfully.

Share full json


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Kriti
New Contributor
New Contributor

EnableAccountJSON

{
"objects": [
{
"objectClasses": [
"user"
],
"distinguishedName": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '\/')}",
"moveObjectToOU": "${user.customproperty21}",
"attributes": {
"userAccountControl": 512,
"extensionAttribute1": "${user.employeeType}",
"extensionAttribute6": "${user.country}",
"extensionAttribute3": "${user.location}",
"extensionAttribute13": "${user.customproperty4}",
"extensionAttribute9": "${user.customproperty2}",
"physicalDeliveryOfficeName": "${user.location}",
"description": "${user.jobDescription}",
"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor')? (Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L : ''}"
}
}
]
}

{
"objects": [
{
"objectClasses": [
"user"
],
"distinguishedName": "${account.accountID?.replace('\\\\', '\\\\\\\\')?.replace('/', '/')}",
"moveObjectToOU": "${user.customproperty21}",
"attributes": {
"userAccountControl": 512,
"extensionAttribute1": "${user.employeeType}",
"extensionAttribute6": "${user.country}",
"extensionAttribute3": "${user.location}",
"extensionAttribute13": "${user.customproperty4}",
"extensionAttribute9": "${user.customproperty2}",
"physicalDeliveryOfficeName": "${user.location}",
"description": "${user.jobDescription}",
"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor')? (Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L : ''}"
}
}
]
}


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Kriti
New Contributor
New Contributor

The issue is not with distinguisedName

If I remove accountExpires from the above json and keep "distinguishedName": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '\/')}" enable account task completes successfully, it only fails when accountExpires attribute is added

"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor') ? new Date().getTime() + (90 * 24 * 60 * 60 * 1000) + 11644473600000 : '0'}"


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.