Home > Forum > General > AD synchronization - useraccountcontrol

AD synchronization - useraccountcontrol
0

16.04.2021
23:26
Agnieszka Adamska

Hello,


I am trying to synchronize BPS users with AD, and everything seems to be properly configured - the data is read, but the synchronization fails and each entry shows error as below (of course there is valid data under these xxxxx)

Record (distinguishedName: CN=xxxxxxxx,OU=Users,OU=xxx,DC=xx,DC=xx,DC=xx, displayName: Lastame, Firstname, adsPath: LDAP://CN=xxxxxx,OU=Users,OU=xxx,DC=de,DC=xx,DC=xx) doesn't contain property useraccountcontrol

Our AD does not populate this property for users.
Why is it checked? This field is not indicated as mandatory in the doc...? Is it possible to reconfigure this?

Reply  
16.04.2021
23:58
MVP
Daniel Krüger (Cosmo Consult)

Hi Essi,

I'm not aware of any such setting and I had the same problem in the past. The property didn't exist/ wasn't set for some accounts. At least it looked this way but in truth it turned out to be some permission problem which we didn't were able to resolve.

The only "solution" was that, for some reason, using an account of a Domain Administrator for the synchronization didn't caused the errors.

Here's a similar case:
https://serverfault.com/questions/788043/is-there-any-case-when-the-useraccountcontrol-attribute-is-blank


Best regards,
Daniel

Reply  
Solution (0) Helpful (0) Wrong answer (0)
19.04.2021
18:58
WEBCON
Pawel Jawien (WEBCON)

Essi, AD property: useraccountcontrol is mandatory for WEBCON BPS AD synchronization (starting from version 2019 of WEBCON BPS).

Do not use Domain Admin account for synchronization (or any other services) this is not a good idea from security point of view.

The best way is to create dedicated domain account with full READ ONLY rights in Active Directory. (every AD has property Useraccuntcontrol - it contains info about user account status: enabled/disabled).

The article about mandatory properties will be updated ASAP.

Reply  
Solution (0) Helpful (1) Wrong answer (0)
19.04.2021
22:17
MVP
Daniel Krüger (Cosmo Consult)
In reply to: Agnieszka Adamska

Thank you very much for your help - our corporate policy does not let us use domain admin for these types of task anyway, so we'll verify accessing this value wit our corporate administrators (when I check in ADSIEdit, it shows a null value of this property which I believe, indicates some lack of authorization...?)

Hi Agnieszka,

yes, you are right. This property always has a value. If you don't see one, you don't have permissions. You could test, whether ADSIEdit is executed with Admin privileges, which could make a difference.

One remark regarding the Domain Administrator:
In our case, or better the responsible persons at the customer site, was not able to grant an account the required privileges. In addition, the property was retrieved for some users inside and not for others also they were in the same OU. Therefore we mentioned, that if he's not able to grant the privileges we could fall back on the Domain Administrator for the synchronization and that he would enter the password.


I cross my fingers, that you are able to resolve this. :)

Best regards,
Daniel

Reply  
Solution (0) Helpful (0) Wrong answer (0)
Menu
Babinskiego 69
30-393 Krakow, Poland
office@webcon.com
+48 12 443 13 90