How to create accounts in either an Expired or Disabled state, with the ability to re-enable the account upon successful User Registration.
User is created in a disabled state and a successful registration being when an End User utilizes the Self Service portal to register and answer their forgotten questions.
To accomplish this, you could set the account to being disabled on an "unregistered" account template, then use this template to create the accounts.
When the account is registered, switch the account to having a "registered" account template. Which would mean the Provisioning Policies would have to be swapped around too.
Or you could use custom BLTHs through the Identity Manager web UI.
You may want to consider using a workflow to perform an approval process to grant a user access to a provisioning role. So the accounts wouldn't even be created until the approval process was completed.
We also recommend making sure that the Identity Manager tasks have AccountSync=OnEveryEvent instead of AccountSync=OnTaskCompletion. Otherwise the accounts could be toggled back to Enabled right away, even if the Account Template is configured to create the accounts as Disabled.