How to update the Active Directory UserAccountConrol (UAC) attribute with the Active Directory AFX Connector in RSA Identity Governance & Lifecycle

RSA Product Set: Identity Governance & Lifecycle 
RSA Version/Condition: All

 

This RSA Knowledge Base Article explains how to configure an Active Directory AFX Connector capability to update the UserAccountControl (UAC) attribute value in Active Directory.

The UserAccountControl (UAC) attribute in Active Directory contains flags that define user account properties. These property flags have hexadecimal and decimal value numerical equivalents. To update the UAC attribute from an Active Directory AFX connector, pass the Property Flag to the connector in the UAC field. Do not pass the numerical values as these will be ignored. To update multiple values, enter the Property Flags separated by commas.

Below is a chart of the UAC Property Flags taken from the Microsoft Support Knowledge Base Article entitled How to use the UserAccountControl flags to manipulate user account properties.

Below is an example of updating an account so a password is not required. In this example the account, Rita Book, has a UAC value defined as:
 
To update the account so that a password is not required, enter the PASSWD_NOTREQD property flag in the UAC field of the connector capability:
 
Note the new UAC value is defined as:
   

IMPORTANT:
Using an incorrect string or a numeric value will result in the update being ignored as if the field were left empty. There are no error or failure messages.

NOTE: If you are unable to update the PASSWD_CANT_CHANGE flag, you may need a patch. Please see RSA Knowledge Base Article 000038108 -- UserAccountControl (UAC) attribute PASSWD_CANT_CHANGE is not updated by the Active Directory AFX connector in RSA Identity Governance & Lifecycle for more information.