Symantec IGA

Expand all | Collapse all

accountExpires not setting on Created Account

Jump to Best Answer
  • 1.  accountExpires not setting on Created Account

    Posted 01-06-2020 02:34 PM
    Hello all,

    I have run into an error, and I was wondering if anyone else has seen this before.

    I am creating a user in CA Identity Manager. We have an Active Directory Endpoint, with accountExpires extended in our schema so that we can set the value. I also have a script that converts "End Date" attribute value into the LDAP time needed for Active Directory to set the accountExpires attribute( the script is located in both a create user and modify user). Finally, I have a PX that assigns a provisioning role to the user which will then create the Active Directory account.

    Here's the kicker: After creating the user, the user gets the role, and the account is created, yet the PX does not recognize that the account has been created on the endpoint.So the provisioning user has the proper LDAP value, but it doesn't show on the Active Directory account.I have set the PX multiple ways to ensure that the account has at the very least, has been created. Yet it still throws an error.

    However, on a modify, after I modify the End Date, it will synchronize down to the endpoint fine, and the value is displayed correctly on the endpoint user.

    Has anyone come into contact with an issue like this or have been able to properly set the accountExpires properly on a create? 

    Thank you.

  • 2.  RE: accountExpires not setting on Created Account
    Best Answer

    Posted 01-06-2020 08:37 PM
    on ur admin task -> Account Sync set with Sync with every Event. Then it will works. 
    If u use with with task completed, the first PX assign Role created the account, but however the second PX that assign expiry will not recognize there is an account created.
    If u use sync with every event, then second PX will recognize the account is created and u will able to set the expiry.