Hi all! I have an 12.6.5 environment from a previous partner implementation (and with a lot of configurations not documented..). This version is going to upgrade to 14.1 in the following days, but it is still on 12.6.5.
We have found some strange scenario with the AD connector. At this time connector is only used to propagate password, enable disabled users and unlock locked ones. It performs a full explore/correlation every night.
I was reported that some accounts that where suspended on AD (through ADUC), where re-enabled by IdM (searching logs, eta-trans shows a resync event with eTSuspended=0 just about 30 seconds that AD log says that from IdM ip, user was re-enabled by the user configured in the connector).
I revised reverse sync policies, but I have no Reverse Sync Modified Account Policies (as this was happen to existing users).
Can be another place where some policy is reverting changes on AD if they are made on the target system instead of the user console, after correlating users?
The system will want to keep the user and accounts in the same status so trying to have the IM user and Provisioning global user as enabled but the accounts as disabled will not work too well since at times the IM Server may push down the current IM user status. An example of this can happen if the IM task is configured with AccountSynchronization=OnTaskCompletion as explained in the below KB doc.
Explaining IM Task Settings (User Synchronization - CA Knowledge
Looks like support case 00970229 is opened for this
Hi Kenny, that's right. It is weird that almos all users who are disabled from outside, remain in this state. But randomly we are notified that some few users are being re-enabled from IdM. I was seeing this link before, but If I tell the Modify User to do nothing on users or accounts, I am afraid that users who goes through self-service can not resume their accounts. I will keep analyzing this, if I found something I will post it.
PS: scenario should be as follows: users are reconciled (AD as trusted, so create global users as needed and update fields are selected). Users use the User Console only to recover they password and unlock/resume their accounts on target systems (including AD), but this should be at demand. If discrepances where found, IDM should do nothing. Behavior for all are the fine, but we have these random cases. I opened a case also, to see if we can solve it or detect what is performing this. Many thanks for your response.