On Wed, 30 May 2012 16:26:01 +0000, ccandotti wrote:

> i'm trying to unlock AD accounts with IDM, i create a policy and put it
> in the AD Driver set.

Problem #1 - You can't add userAccountControl. The attribute is already
present, so "adding" it makes no technical sense.

Problem #2 - You can't write to all bits of userAccountControl. Some of
them are DC write only, and are read only to the application layer (where
you're at).

Solution to both: For manipulating userAccountControl, you should use the
pseudo attributes that the IDM driver for MAD makes available, so you
don't have to mess with figuring out the bitfield values and dealing with
the read only bits. See, for example, dirxml-uACAccountDisable in the

Also, which sort of "unlock" are you attempting here?

Some documentation on the userAccountControl bitmap:


David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.