-
Titolo
If password generation fails during a Deprovisioning, the user account is left enabled -
Descrizione
In the User Account Deprovisioning / Make account ineligible for logon policy rule within a User Deprovisioning Policy, there are the options to "Disable the user account" and "Set the user's password to a random value".
The "Set the user's password to a random value" option will leverage the resolved Password Generation script in order to generate a value.
If, for whatever reason, the value that is generated cannot be applied to the user (for example, if the script generates an 8 character password and the user is subject to an encrypted password policy that requires 20 characters), then not only will the password not be updated, but the user account will remain enabled.
Change History will show errors similar to the following:
User Account DeprovisioningPolicy Object:
7/8/2025 5:32:40 PM (UTC)-
User properties are changed.Details >>>
-
The user name is changed. Original name: ' 0259d0b8f6 '. New name: ' 0259d0b8f6 - Deprovisioned 7/8/2025 '.
-
Failed to disable the user account.Details <<<Administrative Policy returned an error. No more rows to be obatained by the search result.
-
Failed to reset the user password.Details <<<Administrative Policy returned an error. No more rows to be obatained by the search result.
-
-
Causa
This issue is being tracked as Defect ID 495921.
-
Risoluzione
WORKAROUND
Deselect the "Disable the user account" checkbox and instead set the edsaAccountIsDisabled attribute to TRUE on the Properties to be updated tab.
STATUS
Waiting for fix in a future release of Active Roles.
-
Richiesta di modifica
495921