Layer7 Identity Management

Expand all | Collapse all

How to disable active directory account using Policy Express?

  • 1.  How to disable active directory account using Policy Express?

    Posted 06-18-2015 10:28 AM

    I am trying to disable active directory account using policy express. I am able to fetch the account and set password etc on the end point.

     

    What is the attribute that is used to set disable flag on active directory account?

     

    Based on my discussion with active directory team, I got to know that they use ADS_UF_ACCOUNTDISABLE bit to disable the account. But I don't see this in the populated list of attributes that I can set using policy express.

     

    I see that there are couple of attributes listed as "Suspended" / "%SUSPENDED_STATE%. are they used for this purpose?

     

    is there any documentation that explains attributes listed in policy express and their mapping to active directory end point?



  • 2.  Re: How to disable active directory account using Policy Express?

    Posted 06-19-2015 01:56 PM

    Why do you want to do it via PXP and not just disable the corporate user and let that provision to the endpoint account?



  • 3.  Re: How to disable active directory account using Policy Express?

    Posted 06-23-2015 03:50 AM

    Hi there

     

    I agree with Christopher here. You would want to keep the corporate store and the AD accounts in sync so rather do it via the corporate store disable and allow that to get to the endpoint via the provisioning server. That is, unless you have a very specific requirement that states that you need to use a policy for this in which case, I would say that best practices advise otherwise.

    If your status attributes are not changing in the provisioning server, I would suggest you check the .xml schema you imported in the IdentityMinder application server, check your attribute mappings in the account template and your explore/correlate attributes.

     

    Hope this helps.