Managing Active Directory Account Options with SailPoint

Date Posted:

14 Apr 2025

Category:

Security

Managing Active Directory Account Options with SailPoint

Date Posted:

14 Apr 2025

Category:

Security

Managing Active Directory Account Options with SailPoint

Date Posted:

14 Apr 2025

Category:

Security

Managing Active Directory Account Options Efficiently with SailPoint

SailPoint AD Integration: Account Option Management

This document outlines the process for configuring specific account options in Active Directory (AD) during new account creation. The requirement is to enable three key settings for user accounts: Password Never Expires, Smart Card Logon, and Normal Account. These options are managed using the userAccountControl attribute in AD by assigning a calculated value that combines the necessary flag values. This guide provides a step-by-step solution for achieving this configuration in SailPoint and ensuring proper verification of the applied changes.

Requirement

Whenever a user account is created in AD, the account flags must be set as Normal Account, Password Never Expires, and Smart Card Logon. The userAccountControl attribute must be assigned the respective property flags/decimal values.

Steps

To configure the desired attributes and enable these account options, follow these steps:

1.     Understand userAccountControl Values.

Each account options correspond to specific flag values:

  • Normal Account: 512  

  • Password Never Expires: 65536

  • Smart Card Logon: 262144

The combined value for these settings is 328192 (512 + 65536 + 262144).

2.     Configuration in SailPoint:

·       Add the userAccountControl attribute to the account schema.

·       Include the userAccountControl attribute on the "Create Account" page.

·       Set the mapping option as static, assigning the combined flag value of 328192.

Verification

Step 1: Install AD explorer to read the users attributes and data.

Step 2: Ensure the domain name is the same on both the local system and AD.

·       In local system (about my pc)

·       In AD (SailPoint configuration DC=xxx, DC=xxx)

Step 3: Once verified, you can read the data inside AD.

Step 4: Verification is complete.

Conclusion

By assigning the combined flag value of 328192 to the userAccountControl attribute, the Password Never Expires and Smart Card Logon options are enabled during account creation. Verification using tools like AD Explorer ensures that the configuration is applied correctly. This approach simplifies the management of account options in AD and ensures seamless integration with SailPoint. Future updates can use the same attribute mapping for consistent results.

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Category:

Security

Get your

Tailored Quote for your

Organisation

Get your

Tailored Quote for your

Organisation

Managing Active Directory Account Options Efficiently with SailPoint

SailPoint AD Integration: Account Option Management

This document outlines the process for configuring specific account options in Active Directory (AD) during new account creation. The requirement is to enable three key settings for user accounts: Password Never Expires, Smart Card Logon, and Normal Account. These options are managed using the userAccountControl attribute in AD by assigning a calculated value that combines the necessary flag values. This guide provides a step-by-step solution for achieving this configuration in SailPoint and ensuring proper verification of the applied changes.

Requirement

Whenever a user account is created in AD, the account flags must be set as Normal Account, Password Never Expires, and Smart Card Logon. The userAccountControl attribute must be assigned the respective property flags/decimal values.

Steps

To configure the desired attributes and enable these account options, follow these steps:

1.     Understand userAccountControl Values.

Each account options correspond to specific flag values:

  • Normal Account: 512  

  • Password Never Expires: 65536

  • Smart Card Logon: 262144

The combined value for these settings is 328192 (512 + 65536 + 262144).

2.     Configuration in SailPoint:

·       Add the userAccountControl attribute to the account schema.

·       Include the userAccountControl attribute on the "Create Account" page.

·       Set the mapping option as static, assigning the combined flag value of 328192.

Verification

Step 1: Install AD explorer to read the users attributes and data.

Step 2: Ensure the domain name is the same on both the local system and AD.

·       In local system (about my pc)

·       In AD (SailPoint configuration DC=xxx, DC=xxx)

Step 3: Once verified, you can read the data inside AD.

Step 4: Verification is complete.

Conclusion

By assigning the combined flag value of 328192 to the userAccountControl attribute, the Password Never Expires and Smart Card Logon options are enabled during account creation. Verification using tools like AD Explorer ensures that the configuration is applied correctly. This approach simplifies the management of account options in AD and ensures seamless integration with SailPoint. Future updates can use the same attribute mapping for consistent results.

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Category:

Security