Error creating AD accounts with userAccountControl in create profile

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I need to set userAccountControl on create and synchronize it for accounts in AD.

The value is calculated on an identity attribute using a transform that correctly returns an integer value for each variation.

However, accounts are failing with the following error:

["Error(s) reported back from the IQService - Unable to cast object of type \u0027System.Int64\u0027 to type \u0027System.String\u0027."]

I see the same behavior when the transform on the identity attribute returns a string value.

Anyone know the solution?

2

Hi Joseph,

Can you explain the use cases you’re trying to achieve?
The account will by default be created in an enabled state, and the disable feature is built in to the connector which will set the UAC. What you’re trying to achieve can likely be achieved without needing to use a transform to calculate the user account control.

Thanks,
Margo

3

Hi Margo,
The connector team has confirmed a bug in the “Disabled” pseudo attribute, and hence we are using userAccountControl to enforce state.

I also have a use case where accounts will need to be created in a disabled state.

I don’t need to set it during create for some uses cases, but I can’t sync it unless it is part of the create profile.

However, I think this is a red herring though, when a user initially wrote the transform with string values, I saw a cast error when the value was set (and that makes sense).

Upon further inspection, I have removed the attribute altogether, and see in the iqservice log that the create operation fails due to an existing user (which is not true, I verified immediately before and after) but then builds the return message to ship back and the error in the iqservice log is the cast error.

The userAccountControl attribute and my value don’t even appear in the request sent to the iq service.

  1. I don’t know why the initial create is failing, it is not due to an existing user.
  2. I don’t know where the casting error came from (some other bug), and why the “user already exists” error was discarded from the response.
4

Hi @josephcasale,

We cannot create account for the same user with the account in disabled state (as the user already exists)

UAC will be automatically set for newly created accounts.

5

Hi @josephcasale Can i know which account you are trying to disable? ISC or in AD?

If ISC then you can use IIQDisabled attribute to disable the user during creation.For AD you can UAC attribute to disable the accounts by passing the value as 514.
Did you try this?

Thanks.

6

Hi,
Interesting, the connector docs mention a “Disabled” attribute for this and it does not work (confirmed through a ticket), but you are saying that attribute is actually “IIQDisabled”?

However, as my reply to Margo mentions, I am no longer setting userAccountControl (it is disabled) and I confirm it’s not in the request attributes sent to the IQ service.

But the create operation is failing and incorrectly reporting a casting error when the logs show a user already exists error.

Though I have verified before and after that a user with the same distinguished name and samaccountname did not exist before and still does not exist after.