DISABLED value is always changed to "0" if administrator enable the disabled user.
search cancel

DISABLED value is always changed to "0" if administrator enable the disabled user.


Article ID: 200715


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


I tried to enable/disabled user task .

The user disable state value was "16777217" (the user is disabled and password must change = True)

After I enabled the user, the disable state value is changed to "0" (the user is enabled and password must change = False)


Could you please confirm that default "enable user" task in IDM version 14.3 did process like this?


Identity Manager


If administrator user enable the disabled user, TBLUSERS.DISABLED value is always changed to “0” by design.

If you need to enable “Password Must Change” status (16777216), please enable the user, then enable "Password Must Change" option.


Additional Information

There is no mechanism in IDM that continuously monitors and applies password policies.  Password policies are applied at runtime of a user login attempt or other password interaction with that account.   
For example, if a user is set to '0' (enabled) but there is a Password Policy that disables accounts after 365 days, if that account never logs into IDM within those 365 days the password policy is never called for that account. 

If there is a need to disable users after some period of time regularly, setup a bulk task that keys off of the imLastLoginDate attribute and run that once a week, or if you need this more 'up to date' once a day, though there could be a high load when running this depending on your overall user base.