Default Provisioning Attributes Reference

This page details the default provisioning attributes for your connector.

Account Creation

Note

For an account that has been moved or renamed in Active Directory since last aggregation, ensure that the change is aggregated before performing any provisioning operation on the account.

Account Attribute	Description
ObjectType	The type of account to be created. The default is User. For users, the object type must be User. For contacts, the object type must be Contact. For group managed service accounts, the object type must be msDS-GroupManagedServiceAccount. For managed service accounts, the object type must be msDS-ManagedServiceAccount.
distinguishedName	Distinguished name of the new account.
sAMAccountName	sAMAccountName of the new account.
manager	Manager for the new account.
mail	Email address of the new account.
password	Password for the new account.
givenName	First name associated with the account.
sn	Last name associated with the account.
pwdLastSet	This attribute can only be set as `true` or `false`. When set to `true`, the `pwdLastSet` attribute value is set to `0` and it selects the User must change password on logon checkbox for the Active Directory user object's account in ADUC. When set to `false`, the `pwdLastSet` attribute value is set to `-1` and sets this attribute to the current time, and it deselects the User must change password on logon checkbox. The default Static Value is false.
IIQ Disabled	This attribute can only be set as `true` or `false`. Set to `true` to create a disabled user.
primaryGroupDN	Default group of the new account.
description	Description of the new account.
telephoneNumber	Telephone number of the new account. The default Attribute is Alternate Phone Number (phone).

Special Provisioning Attributes for Move/Rename Request

Attribute	Description
AC_NewName	A string attribute to rename the user. For example, CN=abc
AC_NewParent	A string attribute to move the user to new OU. For example, OU=xyz,DC=pqr,DC=com

The AC_NewName and AC_NewParent are special attributes to handle the move and rename operations and can be sent in Attributes Map and AccountRequest instead of AttributeRequest.

For example:

Copy

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan>
   <AccountRequest application="AD App" nativeIdentity="CN=SampleUser,CN=Users,DC=Example,DC=Com" op="Disable">
    <Attributes>
     <Map>
         <entry key="AC_NewParent" value="OU=DsiabledUsers,DC=Example,DC=Com"/>
     </Map>
    </Attributes>
   </AccountRequest>
</ProvisioningPlan>

Exchange Mailbox Attributes

Note the following when working with mailbox attributes:

If you send an email address in the mail attribute, the exchange may not use it, if the E-mail Policy in the exchange is set to create it differently. The email address is not taken and sent back to Active Directory after it is created, based on the policy.
For the Active Directory source, the mailNickname, homeMBD, and msExchHideFromAddressLists attributes are case insensitive when processed by the IQService.
The Active Directory source sets the MS-Exchange attributes - homeMDB and mailNickname as AD attributes, if MS-Exchange is not enabled.

The following are additional attributes required to create a mailbox:

Attribute	Description
homeMDB	The exchange mailbox store domain name required to create a mailbox. For example: `SomeExchangeDB`. The `homeMDB` attribute is in the format of `SomeExchangeDB', not 'CN=SomeExchangeDB`.
mailNickname	The exchange alias that you can use to update or disable the mailbox. For example: `firstname.lastname`
msExchHideFromAddressList	The attribute to hide from the Exchange address lists.
externalEmailAddress	The external email address, required for mail contact creation.

Updating Exchange Mailbox Attributes

The Active Directory connector supports updating any Exchange mailbox attributes supported by set-mailbox cmdlet, using the following methods:

Add the attribute in the provisioning policy with Exch_ as a prefix. For example, to set the HiddenFromAddressListsEnabled exchange attribute, add the attribute name as Exch_HiddenFromAddressListsEnabled in the provisioning policy.
Alternatively, this can be done by editing the application xml file by adding an application attribute named exchangeAttributes of string type with a comma separated name of the Exchange attributes added in provisioning policy.

For example, for the HiddenFromAddressListsEnabled attribute, add the following to the debug page:

<entry key="exchangeAttributes" value="HiddenFromAddressListsEnabled, UseDatabaseQuotaDefaults"/>

Attributes for Skype for Business

The msRTCSIP-UserEnabled attribute must be updated as part of the Create Profile section.

By default, provisioning of the following attributes is supported:

Attribute	Description
SipAddress	This attribute contains the SIP address of a given user.
SipDomain	This attribute contains the SIP domain of a given user.
SipAddressType	This attribute contains the SIP address type of a given user. Skype for Business Server generates a SIP address for the new user when SipAddressType is provided in combination with SipDomain.
Registrar Pool	This attribute contains the Registrar pool of a given user.
msRTCSIP-UserEnabled	This attribute indicates whether the user is currently enabled for Microsoft Lync\Skype for Business Server.

Schema and Provisioning Attributes of Group Managed Service Accounts (gMSA) Object

For the provisioning of the following gMSA attributes, you must add them manually for the existing sources. By default, they are available for new sources.

Account Attribute	Description
dNSHostName	The DNS host name of the service account. This attribute is mandatory for gMSA provisioning.
msDS-SupportedEncryptionTypes	The supported encryption types for the service account. This is a multi-valued attribute.
msDS-ManagedPasswordInterval	The number of the days for the password change interval.
msDS-GroupMSAMembership	The principals that are allowed to retrieve Managed Password of this Group-Managed Service Account. This is a multi-valued attribute.
msDS-AllowedToActOnBehalfOf OtherIdentity	The accounts that can act on the behalf of this Group Managed Service Account. This is a multi-valued attribute.
servicePrincipalName	The service principal names for the service account. This is a multi-valued attribute.

Provisioning Attributes for Contacts

Add the displayAttributeForContacts attribute as additional parameter for Contacts. CN is used as the default value for display name of Contact objects. The Display attribute can be set using the connector_displayAttributeForContact config attribute.

Provisioning Attribute for Resource Forest Topology Exchange Management

The following String-type attribute required for creating Linked Mailbox, is available by default, for the new sources. For existing sources, add manually in the Create Profile section.

Account Attribute	Description
shadowAccountDN	Distinguished Name of the Linked Mailbox Shadow Account to be created. It is required for creating new Linked Mailbox.

Provisioning Attributes for Terminal Services

Account Attribute	Description
TS_TerminalServicesProfilePath	The roaming or mandatory profile path to be used when the user logs on to the RD Session Host server.
TS_TerminalServicesHomeDrive	The root drive for the user.
TS_TerminalServicesHomeDirectory	The root directory for the user.
TS_TerminalServicesInitialProgram	The path and file name of the application that the user wants to start automatically when the user logs on to the RD Session Host server.
TS_TerminalServicesWorkDirectory	The working directory path for the user.
TS_EnableRemoteControl	A value that specifies whether to allow remote observation or remote control of the user's Remote Desktop Services session.
TS_AllowLogon	A value that specifies whether the user is allowed to log on to the RD Session Host server.
TS_BrokenConnectionAction	A value that specifies the action to be taken when a Remote Desktop Services session limit is reached.
TS_ReconnectionAction	A value that specifies if reconnection to a disconnected Remote Desktop Services session is allowed.
TS_ConnectClientDrivesAtLogon	A value that specifies if mapped client drives should be reconnected when a Remote Desktop Services session is started.
TS_ConnectClientPrintersAtLogon	A value that specifies whether to reconnect to mapped client printers at logon. The value is one if reconnection is enabled, and zero if reconnection is disabled.
TS_DefaultToMainPrinter	A value that specifies whether to print automatically to the client's default printer. The value is one if printing to the client's default printer is enabled, and zero if it is disabled.
TS_MaxConnectionTimeout	The maximum duration of the Remote Desktop Services session, in minutes. After the specified number of minutes have elapsed, the session can be disconnected or terminated.
TS_MaxDisconnectionTime	The maximum amount of time, in minutes, that a disconnected Remote Desktop Services session remains active on the RD Session Host server. After the specified number of minutes have elapsed, the session is terminated.
TS_MaxIdleTime	The maximum amount of time that the Remote Desktop Services session can remain idle, in minutes. After the specified number of minutes has elapsed, the session can be disconnected or terminated.

Individual Attribute Notes

accountExpires Attribute

For the Active Directory source, the accountExpires attribute must be defined as a string. The value of the accountExpires attribute can be set in the Microsoft defined timestamp that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC).

The value can also be entered in a human readable format: MM/DD/YYYY HH:MM:SS AM TimeZone. For example, 05/11/2019 12:00:00 AM IST. A value of 0, never, or 9223372036854775807 indicates that the account never expires.

The value of the accountExpires attribute is displayed in the MM/DD/YYYY hh:mm:ss aa Z format. For example, if previously the time of account expiry was displayed as 5/14/2019 12:0:0 AM IST, it will now be displayed as 05/14/2019 12:00:00 AM IST.

'Never' as a Value of accountExpires Attribute

The Active Directory source supports never as a value of the accountExpires attribute in provisioning, when the timeZone attribute is present in the source configuration.

Note
SailPoint recommends that the accountExpires attribute must be defined as a string. However, the Active Directory source accepts an integer value for the accountExpires attribute in account provisioning if it is not a string.

Rollback of Created Account

The Active Directory source supports rollback of created account in case provisioning of one or more requested attributes fails during the provisioning operation. Set the rollbackCreatedAccountOnError attribute to True.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Default Provisioning Attributes Reference

Updating Exchange Mailbox Attributes

accountExpires Attribute

'Never' as a Value of accountExpires Attribute

Rollback of Created Account

Documentation Feedback