You may be given a list of users that need to be either enabled or disabled in Active Directory, this list might be in SharePoint, it might come from your HR system or it might be a document. To enable and disable users in AD using Data Sync you would connect to this list as your source, and connect to your Active Directory OU where your users are located as your target.
Disabling accounts requires the
ACCOUNTDISABLE flag on the
UserAccountControl attribute to be reset to either 0x0202 (in Hexadecimal) or 514 (in Decimal), as described by Microsoft.
We will need to lookup the current value of the UserAccountControl to see if the account is currently enabled or disabled and then set this accordingly.
Warning: Testing is a great way to make sure you know what is happening.
Please try this on test data before trying on your production OU. You do not want to disable all accounts by mistake!
Depending on the version of Data Sync you are running, you may need to add
UserAccountControl to the properties collection. You can read more on how to do this here.
Once you have connected to your source and to AD as your target, you need to create a Calculated Column (in this example we've called it
Fx_UserAccountControl) of type Int32 which will get the value for UserAccountControl from your AD.
LOOKUPB("UserAccountControl", "", WHEN("Logon Name", LogonName))
WHEN statement of the lookup should match your project configuration for the Key Column and may be different to our example.
You need to use your linking column within the WHEN clause to link the two sources, we use LogonName in this example. Alternatively you could use another column that is unique such as EmployeeID.
Please see our page on Lookups in AD for more guidance.
If your lookup is not returning results it may be that either the user does not exist in your AD or the column names are not correct.
The next step is to set the enabled status of the user.
We do this by creating another Calculated Column (
Fx_IsEnabled) of type Int32 which will return the modified value for
UserAccountControl (this is the calculated column you just made) based on whether the account is enabled.
This expression assumes your source bool value is called
Enabled you might need to change this to match your column name.
IF(Enabled, Fx_UserAccountControl & ~0x02, Fx_UserAccountControl | 0x02)
Now map your
Fx_IsEnabled column to
UserAccountControl on the target.
You can now run the comparison and synchronise the results. Make sure to test a few first as you do not want to disable all accounts in your AD.
If you are adding accounts to AD you need to make a few changes to handle the additions. As the account does not exist yet there is no value for the
To get around this we need to set a default value for
UserAccountControl, for example this could be:
512 which is the value for enabled.
You can do this by changing the
Fx_UserAccountControl lookup to contain an
IF statement to return this default value when no value exists.
IF(ISNULL(LOOKUPB("UserAccountControl", "", WHEN("Logon Name", LogonName))), 512, LOOKUPB("UserAccountControl", "", WHEN("Logon Name", LogonName)))
You will also need to set
True on the target properties to add your new users.