<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jTISAZOkta Classic EngineLifecycle ManagementAnswered2018-09-05T01:30:13.000Z2018-07-03T12:10:31.000Z2018-07-03T12:10:31.000Z

GarethE.74887 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
useraccountcontrol not available as Active Directory Attribute
Am i missing something here? looking at all the available AD attributes that i can import the only one that seems to be not available is UserAccountControl, previously with FIM we used this attribute quite a lot and planned to use it here as an example:

 

Provision application to users only if there accounts are not set to never expire/not disabled (User account control value 512).

 

In fact we use 512 quite a lot as a way of filtering out system, service and resource accounts.

 

any thoughts?

 

thanks.
  • 1 answer
  • 1.81K views
StephenL.81682 and CarolM.02949 like this.

  • andrei.aldea1.4721588181695305E12 (Okta, Inc.)

    Hi Gareth,

     

    Apologies for the late reply on this - it is expected behavior that the userAccountControl attribute cannot be added to the list of AD Attributes. Okta already reads this attribute value for the purposes of determining if a user has been deactivated.

     

    This article (https://help.okta.com/en/prod/Content/Topics/Directory/Directory_AD_Field_Mappings.htm) goes into a bit more detail regarding this:

     

    "The system treats previously imported users as deleted if any of the following conditions are met:

     

    -The userAccountControl attribute indicates that the user has been deactivated. (Detected by incremental import or JIT sign in.)"

     

    However, it should still be possible to bring in the value of the attribute into Okta, by using a different AD Attribute for that purpose.

     

    Thank You,

     

    Andrei Aldea

    Technical Support Engineer

    Okta Global Customer Care
    Expand Post
This question is closed.
Loading
useraccountcontrol not available as Active Directory Attribute