MIIS and AD userAccountControl

In most of the projects run with MIIS, AD is one of the master data sources.
Also, in most case the user status (disable/enabled, …) needs to be propagated to other systems.
AD stores the user "disabled/enabled" status in the userAccountControl attribute.
But the userAccountControl attribute is an (hexidecimal) number value.
Cfr http://support.microsoft.com/default.aspx?scid=kb;en-us;305144
Other sources like ADAM (AD LDS) use a single attribute.
FYI htttp://msdn2.microsoft.com/en-us/library/aa772124.aspx
I’ve created a small Excel sheet to translate some values out of and into a userAccountControl value.
You can easily get the useraccount-disabled value out of the hex value.
First create boolean attributes in the MIIS metaverse like :
At AD import flow create an advanced import flow from sAMAccountControl to your new attributes
(Example in VB.Net)
Create an AD extension, load the "Active DS Type Library" as reference in your code project and add on top of your extension
"Imports ActiveDs.ADS_USER_FLAG"
Next use an extension to handle the import flow like:
    Public Sub MapAttributesForImport( _
    ByVal FlowRuleName As String, _
    ByVal csentry As CSEntry, _
    ByVal mventry As MVEntry) _
    Implements IMASynchronization.MapAttributesForImport
        ‘ TODO: write your import attribute flow code
        Select Case FlowRuleName
            Case "mail"
                mventry(FlowRuleName).Value = csentry(FlowRuleName).StringValue.ToLower
            Case "msDS-UserAccountDisabled"
                mventry("msDS-UserAccountDisabled").BooleanValue = _
                    (csentry("userAccountControl").IntegerValue And _
                    ADS_UF_ACCOUNTDISABLE) = _
            Case "ms-DS-UserAccountAutoLocked"
                mventry("ms-DS-UserAccountAutoLocked").BooleanValue = _
                    (csentry("userAccountControl").IntegerValue And _
                    ADS_UF_LOCKOUT) = _
            Case "msDS-UserDontExpirePassword"
                mventry("msDS-UserDontExpirePassword").BooleanValue = _
                    (csentry("userAccountControl").IntegerValue And _
                    ADS_UF_DONT_EXPIRE_PASSWD) = _
            Case "ms-DS-UserPasswordNotRequired"
                mventry("ms-DS-UserPasswordNotRequired").BooleanValue = _
                    (csentry("userAccountControl").IntegerValue And _
                    ADS_UF_PASSWD_NOTREQD) = _
            Case "msDS-UserPasswordExpired"
                mventry("msDS-UserPasswordExpired").BooleanValue = _
                    (csentry("userAccountControl").IntegerValue And _
                    ADS_UF_PASSWORD_EXPIRED) = _
            Case Else
                ‘ TODO: remove the following statement and add your default script here
                Throw New EntryPointNotImplementedException()
        End Select ‘flowrulename
    End Sub ‘mapattributes for import
Now you have the different separate values stored in the MV and you can work with each value…

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s