Hi All,
We have requirement to create Non humans/mailbox AD accounts in disabled state. Is it possible to create disabled AD accounts if the identity life cycle state is active ?
TIA.
Issue: I have tried but CloudAutomatedActive interface is automatically looking at identity state and enabling the AD account to active.
You can to create an attribute named “userAccountControl” in the Create profile, and implement a static transform to check if the account to be created is Non human or relevant condition check and set the value as “514” else “512”
Hi @sameertawargeri ,
I’m doing the same thing as you have mentioned, but some automated process in SailPoint is enabling the account, not sure where this is coming from.
I see from plan/IQservices logs as expected it’s setting
AttributeRequest op=“Add” name=“userAccountControl” value=“514”
Account is getting enabled because , most probably in identity profile settings you have added AD account to be enabled in Active LCS
Yes, You are correct @gourab , thanks. Let me test creation again
Hi @gourab, thanks it worked, and I was able to create DISABLED AD account, but I’m wondering, what if we need to have a LCS provisioning enabled?
Maybe consider having a separate lifecycle state for non human/mailbox accounts, something like non-human-account and then enable the LCS and have disable account options checked. And in you Lifecycle State identity attribute, write a transform to determine the LCS value as non-human-account for such accounts.
And you can use this LCS state in your roles for membership criteria based provisioning such that accounts are created on target but with a disabled state.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
