<div dir="ltr">We have midPoint (4.4) configured more-or-less like the internet2 
Grouper demo, with one group adding/removing users from a midPoint Org. 
That Org, in turn, has an inducement to our AD resource, with the idea 
being that users in the Org have an ‘active’ AD account (with UAC set to
 66048) and those removed from it marked as inactive (UAC 514).<br><br>I have the following in my AD connector configuration:<br><br> <attribute id="149"><br>                <ref>ri:userAccountControl</ref><br>                <outbound><br>                    <strength>strong</strength><br>                    <expression><br>                        <script><br>                            <code><br>                                     if(assigned){<br>                                  return '66048'<br>                                } else {<br>                                  return '514'<br>                                }<br>                            </code><br>                        </script><br>                    </expression><br>                </outbound><br>     </attribute> <br><br>And
 when I reconcile a user that should get their value changed from one to
 the other, the preview indicates it should change it to the correct 
value, and continuing the operation indicates it ran successfully, but 
then re-checking the user’s AD shadow shows the UAC did not change at 
all.<br><br><div>I’ve tried various iterations of setting up 
and removing <activation>, both settings of rawuseraccountcontrol (currently 
set as true), and any other options I could think of. UAC doesn’t seem 
to change with anything I try. <br></div><div><br></div><div>Any ideas?</div><br>For what it’s worth my current activation settings on the resource are:<br><br> <activation><br>                <existence><br>                    <outbound id="166"><br>                        <expression><br>                            <path>$focusExists</path><br>                        </expression><br>                    </outbound><br>                </existence><br>                <administrativeStatus><br>                    <outbound id="167"><br>                        <expression><br>                            <script><br>                                <code><br>                                    import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;<br><br>                                    if  (assigned) {<br>                                        input;<br>                                    } else {<br>                                        ActivationStatusType.DISABLED;<br>                                    }<br>                                </code><br>                            </script><br>                        </expression><br>                    </outbound><br>                </administrativeStatus><br>            </activation><br><br><div>I’ve
 also tried enabling Functional Tracing on the reconcile operation to 
see if that might yield some additional information, but the trace files
 are nowhere to be found in $MIDPOINT_HOME/var/trace/ or in the reports 
section of the UI- did I miss a step in setting it up?</div><div><br></div><div>Sam<br></div></div>