Active Directory endpoint and the userAccountControl attribute

Blog Post created by Nino.Uziel Employee on Oct 22, 2015

userAccountControl attribute, is an Active Directory user attribute.

It holds, in a nutshell, the options in the Account options dialog box of the user.

You can read more about it in How to use the UserAccountControl flags to manipulate user account properties


IdentityMinder does not show this attribute in the endpoint attribute mapping list. This is because it is an Initial attribute and not a Capability attribute.
You can read more about Initial Attributes and Capability Attributes in our Identity Minder Administration Guide, under Provisioning Roles => Attributes in Account Templates and also in chapter Synchronization => Synchronization Tasks.

Synchronization does not update initial attributes.
An initial attribute is initialized from the account templates during account  creation and it can also be updated during propagation functions.
If you modify this account value, the change will be propagated to the endpoint account.


At least one customer has reported being able to modify this attribute using Policy XPress. However it requires strong synchronization policy to be used.