Just interested to hear thoughts on a problem I've encountered recently.
FIM portal is set-up to allow IT Staff full access to the portal and HR Staff access to create and modify users. Users are created in the portal and then accounts provisioned to AD; when AD accounts are first created, userAccountControl is set to 514 and a boolean in the portal called "Disabled" is set to true. The user then comes to IT for an induction and password, the account is enabled in AD and the disabled checkbox in the portal is unticked by IT staff.
HR are able to tick the disabled checkbox at any time to re-disable the user's account but HR may not untick that checkbox and re-enable the account. To achieve this I currently use the custom expression "IIF(Disabled, 514, Null())) => userAccountControl" in an outbound AD sync rule. Then to unlock, IT staff have to enable in AD and untick the checkbox. The solution is messy and I've never been completely satisfied with it, it's always been a little buggy (checkbox not updating when disabled in AD etc.) and I've now noticed it is simply not working on some accounts.
Hope all that made sense... Can anyone suggest a better solution to this?