accountExpires attribute in AD

Hi Team,

I need a little assistance getting over a hump in reference to AD account creation for Contractors. I am getting the error after the account is created only on Contractors. The attribute syntax specified to the directory service is invalid.\n"] I have a feeling it may be the accountexpires attribute in AD. How do I get passed this to render a successful account creation for contractors with an expiration date? Goal. Set employees to “Never” and contractors to a specific date.

Thanks

When you are writing the expiration date to AD are you converting the format to EPOCH_TIME_WIN32?

I don’t have a specific config that does this at the moment. Would I do this via the transform or in the source config?

Hi @mgrant,

You can use transform in provisioning policies to achieve the use-case.

Thanks

Hi

Check below link it may help to you. Thanks

Regards,
Siva.K

1 Like

Hi

While passing account expired date to AD.
SailPoint recommends that the accountExpires attribute must be defined as a string. However, the Active Directory source accepts an integer value for the accountExpires attribute in account provisioning if it is not a string.

Use transform, if you want to send it “never” for emp then send 0 if you want to send date for contractors then send the value in epoch time.

Thanks,
Siva.K

Hi @mgrant

I would suggest to create a new identity attribute for AdAccountExpire where you will get the end date of contractors and convert it to epoch type of the date.

Note: epoch i think allows max date to be till 2999 year only or something like that so in case your contractors have an end date more than that then you should either update them as never or set the max date as 31-12-2999 and convert it to epoch and store it on the identity level (Probably this is the reason you are getting the error too for this attribute) .

Similarly for the normal employees, you can easily set this value to never. The advantage of this approach will be that you can configure the attribute sync and thus only those accounts will be triggered for modification who have a difference for AdAccountExpire in AD and ISC.

Ofcourse, the disadvantage is that you need an additional identity attribute :slight_smile: .

I hope this helps.

Thank You.
Regards
Vikas

One more thing to add to @vguleria and the idea of creating a new identity attribute:

If you have an identity attribute that is configured with attribute sync for accountExpires, you have an easy path to update it if the contractor gets extended/returns or if the contractor converts to an employee and the value needs to change.

Alicia

1 Like

Hi Team,

Thank you all for the input regarding the issue I was facing. With your input I thought it over and created a Date Format Transform and applied it to the attribute. This resulted in the correct syntax being applied for accountexpires during ad account creation for our non employees. Truly appreciate all the assistance my friends.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.