Default Provisioning Attributes Reference

This page details the default provisioning attributes for your connector.

Account Creation

Note

For an account that has been moved or renamed in Active Directory since last aggregation, ensure that the change is aggregated before performing any provisioning operation on the account.
The Active Directory source no longer connects to Read Only Domain Controllers (RODC) for provisioning operations using serverless binding.

The following generators create required information for a new Active Directory account. You may need to edit the contents.

Account Attribute	Mapping Type	Description
ObjectType	Static	The type of account to be created. The default is User. For users, the object type must be User. For contacts, the object type must be Contact. For group managed service accounts, the object type must be msDS-GroupManagedServiceAccount. For managed service accounts, the object type must be msDS-ManagedServiceAccount.
distinguishedName	Generator	The default Generator is Create Unique Account ID. This generator uses the value in the Pattern Used field to generate a unique DN for the new account. Note You must change the OU in the Pattern Used field in the distinguishedName attribute
sAMAccountName	Generator	The default Generator is Create Unique LDAP Attribute. This generator uses the value in the Pattern Used field to generate the sAMAccountName for the Active Directory account.
displayName	Identity Attribute	Display name of the new account. The default Attribute is Display Name (displayName).
manager	Generator	Manager for the new account. The default Generator is Get Manager LDAP DN.
mail	Identity Attribute	Email address of the new account. The default Attribute is Work Email (email)
password	Generator	The default Generator is Create Password. This generator creates an initial password for the new account that matches the password policy assigned to the associated Active Directory source in Identity Security Cloud.
givenName	Identity Attribute	First name associated with the account. The default Attribute is First Name (firstname).
sn	Identity Attribute	Last name associated with the account. The default Attribute is Last Name (lastname).
pwdLastSet	Static	This attribute can only be set as `true` or `false`. When set to `true`, the `pwdLastSet` attribute value is set to `0` and it selects the User must change password on logon checkbox for the Active Directory user object's account in ADUC. When set to `false`, the `pwdLastSet` attribute value is set to `-1` and sets this attribute to the current time, and it deselects the User must change password on logon checkbox. The default Static Value is false.
primaryGroupDN	Static	Default group of the new account.
description	Static	Description of the new account.
telephoneNumber	Identity Attribute	Telephone number of the new account. The default Attribute is Alternate Phone Number (phone).
userPrincipalName	Disabled	The unique name of the entity within the domain, in the format "name@domain".
title	Disabled	The title associated with the entity.
department	Disabled	User's department.
employeeID	Disabled	Numerically identifies an employee within an organization.
company	Disabled	Company name of an employee.

Special Provisioning Attributes for Move/Rename Request

Attribute	Description
AC_NewName	A string attribute to rename the user. For example, CN=abc
AC_NewParent	A string attribute to move the user to new OU. For example, OU=xyz,DC=pqr,DC=com

The AC_NewName and AC_NewParent are special attributes to handle the move and rename operations and can be sent in Attributes Map and AccountRequest instead of AttributeRequest.

For example:

Copy

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan>
   <AccountRequest application="AD App" nativeIdentity="CN=SampleUser,CN=Users,DC=Example,DC=Com" op="Disable">
    <Attributes>
     <Map>
         <entry key="AC_NewParent" value="OU=DsiabledUsers,DC=Example,DC=Com"/>
     </Map>
    </Attributes>
   </AccountRequest>
</ProvisioningPlan>

Exchange Mailbox Attributes

Note the following when working with mailbox attributes:

If you send an email address in the mail attribute, the exchange may not use it, if the E-mail Policy in the exchange is set to create it differently. The email address is not taken and sent back to Active Directory after it is created, based on the policy.
For the Active Directory source, the mailNickname, homeMBD, and msExchHideFromAddressLists attributes are case insensitive when processed by the IQService.
The Active Directory source sets the MS-Exchange attributes - homeMDB and mailNickname as AD attributes, if MS-Exchange is not enabled.

The following are additional attributes required to create a mailbox:

Attribute	Mapping Type	Description
homeMDB	Disable	The exchange mailbox store domain name required to create a mailbox. For example: `SomeExchangeDB`. The `homeMDB` attribute is in the format of `SomeExchangeDB', not 'CN=SomeExchangeDB`.
mailNickname	Disable	The exchange alias that you can use to update or disable the mailbox. For example: `firstname.lastname`
msExchHideFromAddressList	Disable	The attribute to hide from the Exchange address lists.
externalEmailAddress	Disable	The external email address, required for mail contact creation.

Updating Exchange Mailbox Attributes

The Active Directory connector supports updating any Exchange mailbox attributes supported by set-mailbox cmdlet, using the following methods:

Add the attribute in the provisioning policy with Exch_ as a prefix. For example, to set the HiddenFromAddressListsEnabled exchange attribute, add the attribute name as Exch_HiddenFromAddressListsEnabled in the provisioning policy.
Provide a comma separated list of exchange attributes for exchangeAttributes. For example, for the HiddenFromAddressListsEnabled provisioning policy attribute, use the Identity Security Cloud REST API. Set up the exchangeAttributes attribute with a value such as HiddenFromAddressListsEnabled.

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

Attributes for Skype for Business

The msRTCSIP-UserEnabled attribute must be updated as part of the Create Profile section.

By default, provisioning of the following attributes is supported:

Attribute	Description
SipAddress	This attribute contains the SIP address of a given user.
SipDomain	This attribute contains the SIP domain of a given user.
SipAddressType	This attribute contains the SIP address type of a given user. Skype for Business Server generates a SIP address for the new user when SipAddressType is provided in combination with SipDomain.
Registrar Pool	This attribute contains the Registrar pool of a given user.
msRTCSIP-UserEnabled	This attribute indicates whether the user is currently enabled for Microsoft Lync\Skype for Business Server.

Schema and Provisioning Attributes of Group Managed Service Accounts (gMSA) Object

For the provisioning of the following gMSA attributes, you must add them manually for the existing sources. By default, they are available for new sources.

Account Attribute	Mapping Type	Description
dNSHostName	Disable	The DNS host name of the service account. This attribute is mandatory for gMSA provisioning.
msDS-SupportedEncryptionTypes	Disable	The supported encryption types for the service account. This is a multi-valued attribute.
msDS-ManagedPasswordInterval	Disable	The number of the days for the password change interval.
msDS-GroupMSAMembership	Disable	The principals that are allowed to retrieve Managed Password of this Group-Managed Service Account. This is a multi-valued attribute.
msDS-AllowedToActOnBehalfOf OtherIdentity	Disable	The accounts that can act on the behalf of this Group Managed Service Account. This is a multi-valued attribute.
servicePrincipalName	Disable	The service principal names for the service account. This is a multi-valued attribute.

Provisioning Attribute for Resource Forest Topology Exchange Management

The following String-type attribute required for creating Linked Mailbox, is available by default, for the new sources. For existing sources, add manually in the Create Profile section.

Account Attribute	Mapping Type	Description
shadowAccountDN	Disable	Distinguished Name of the Linked Mailbox Shadow Account to be created. It is required for creating new Linked Mailbox.

Individual Attribute Notes

accountExpires Attribute

For the Active Directory source, the accountExpires attribute must be defined as a string. The value of the accountExpires attribute can be set in the Microsoft defined timestamp that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC).

The value can also be entered in a human readable format: MM/DD/YYYY HH:MM:SS AM TimeZone. For example, 05/11/2019 12:00:00 AM IST. A value of 0, never, or 9223372036854775807 indicates that the account never expires.

The value of the accountExpires attribute is displayed in the MM/DD/YYYY hh:mm:ss aa Z format. For example, if previously the time of account expiry was displayed as 5/14/2019 12:0:0 AM IST, it will now be displayed as 05/14/2019 12:00:00 AM IST.

'Never' as a Value of accountExpires Attribute

The Active Directory source supports never as a value of the accountExpires attribute in provisioning, when the timeZone attribute is present in the source configuration.

Note
SailPoint recommends that the accountExpires attribute must be defined as a string. However, the Active Directory source accepts an integer value for the accountExpires attribute in account provisioning if it is not a string.

timeZone Attribute

The Active directory source supports the timeZone attribute.

The timeZone attribute defines a time zone that you want to provision accounts in or change in the default setting of the accountExpires attribute and display.

The timeZone attribute accepts values in the string format.

Valid values are:

epoch - use if you want to provision and see the accountExpires attribute in Active Directory epoch format.
Continent/City - this format is similar to standard format that Java supports. For example, if you want to provision accounts and see the accountExpires attribute in Indian Standard Time then timeZone must be set as Asia/Kolkata.

Rollback of Created Account

The Active Directory source supports rollback of created account in case provisioning of one or more requested attributes fails during the provisioning operation. Set the rollbackCreatedAccountOnError attribute to True.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.