# User provisioning {% hint style="info" %} Principal identifier: `SamAccountName` {% endhint %} The following parameters can be sent to the connector when provisioning users. Only `Name` is required; all other attributes are optional. | Parameter | Description | Required | Type | | ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | ------------------------------------------- | | Name | Display name of the object (LDAP: `name`). | Yes | String | | AccountExpirationDate | Account expiry date. Set to `0` for no expiry (LDAP: `accountExpires`). | No | DateTime, e.g. `10/18/2018` | | AccountNotDelegated | When `True`, the account's security context is not delegated even if set as trusted for Kerberos delegation (sets `ADS_UF_NOT_DELEGATED`). | No | True / False | | AccountPassword | Sets the account password. Required if the account needs to be enabled on creation. Both `AccountPassword` and `Enabled` must be set to enable the account. | No (Yes if enabling) | String | | AllowReversiblePasswordEncryption | Allows reversible password encryption (sets `ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED`). | No | True / False | | CannotChangePassword | Prevents the user from changing their password. | No | True / False | | ChangePasswordAtLogon | Forces a password change on next login. | No | True / False | | City | User's town or city (LDAP: `l`). | No | String | | Company | User's company (LDAP: `company`). | No | String | | Country | Country or region code (LDAP: `c`). | No | String | | Department | User's department (LDAP: `department`). | No | String | | Description | Description of the object (LDAP: `description`). | No | String | | DisplayName | Display name (LDAP: `displayName`). | No | String | | Division | User's division (LDAP: `division`). | No | String | | EmailAddress | User's email address (LDAP: `mail`). | No | String | | EmployeeID | Employee ID (LDAP: `employeeID`). | No | String | | EmployeeNumber | Employee number (LDAP: `employeeNumber`). | No | String | | Enabled | Enables or disables the account (sets `ADS_UF_ACCOUNTDISABLE`). | No | True / False | | Fax | Fax number (LDAP: `facsimileTelephoneNumber`). | No | String | | FolderName | Path to a local folder to create or modify for the user. Works with the `Permissions` attribute. | No | String, e.g. `C:\TestFolder` | | GivenName | First name (LDAP: `givenName`). | No | String | | HomeDirectory | Home directory path (LDAP: `homeDirectory`). | No | String | | HomeDrive | Drive letter associated with the home directory (LDAP: `homeDrive`). | No | String | | HomePage | URL of the user's home page (LDAP: `wWWHomePage`). | No | String | | HomePhone | Home phone number (LDAP: `homePhone`). | No | String | | Initials | User's initials (LDAP: `initials`). Maximum 6 characters in AD. | No | String | | KerberosEncryptionType | Kerberos encryption types supported: `DES`, `RC4`, `AES128`, `AES256`, `None`. Note: DES is a weak encryption type not supported by default since Windows Server 2008 R2. | No | String | | LogonWorkstations | Computers the user can access. Multiple values separated by commas, no whitespace at separators (LDAP: `userWorkStations`). | No | String | | Manager | SAM account name of the user's manager (LDAP: `manager`). Only one manager per user is allowed. | No | String (SAMAccountName) | | MemberOf | Dictionary of group Distinguished Names with operation values: `add`, `nochange`, or `delete`. On user creation, only `add` and `nochange` are accepted. | No | Dictionary of Key-Value pairs | | MobilePhone | Mobile phone number (LDAP: `mobile`). | No | String | | Office | Office location (LDAP: `physicalDeliveryOfficeName`). | No | String | | OfficePhone | Office telephone number (LDAP: `telephoneNumber`). | No | String | | Organization | User's organization (LDAP: `o`). | No | String | | OtherName | Middle name (LDAP: `middleName`). | No | String | | PasswordNeverExpires | Password does not expire (sets `ADS_UF_DONT_EXPIRE_PASSWD`). | No | True / False | | PasswordNotRequired | Account does not require a password (sets `ADS_UF_PASSWD_NOTREQD`). | No | True / False | | Path | X.500 path of the OU or container where the user is created. If not set, `BaseDN` is used. Moving a user to a new Path is supported unless the object is protected from accidental deletion. | No | String, e.g. `OU=TestUsers,DC=DC1,DC=local` | | Permissions | Applied only when `FolderName` is set. Key-Value pairs where Key is a `FileSystemRights` enum value and Value is `add` or `delete`. | No | Dictionary of Key-Value pairs | | POBox | Post office box number (LDAP: `postOfficeBox`). | No | String | | PostalCode | Postal or ZIP code (LDAP: `postalCode`). | No | String | | PrincipalsAllowedToDelegateToAccount | Sets `msDS-AllowedToActOnBehalfOfOtherIdentity` on the account. Supports one principal by default. | No | String (SAMAccountName) | | ProfilePath | Path to the user's profile (LDAP: `profilePath`). | No | String | | SamAccountName | SAM account name. Maximum 20 characters for compatibility with older operating systems (LDAP: `sAMAccountName`). | No | String | | ScriptPath | Path to the user's logon script (LDAP: `scriptPath`). | No | String | | SmartcardLogonRequired | Requires a smart card for login (sets `ADS_UF_SMARTCARD_REQUIRED`). | No | True / False | | State | State or province (LDAP: `st`). | No | String | | StreetAddress | Street address (LDAP: `streetAddress`). | No | String | | Surname | Last name (LDAP: `sn`). | No | String | | Title | Job title (LDAP: `title`). | No | String | | TrustedForDelegation | Account is trusted for Kerberos delegation (sets `ADS_UF_TRUSTED_FOR_DELEGATION`). | No | True / False | | UserPrincipalName | UPN in the format `user@DNS-domain-name` (LDAP: `userPrincipalName`). | No | String | | Certificates | Manages certificates for a user. Must be Base64-encoded X.509v3 content in a single line without headers. To delete all certificates, send an empty value with the DELETE operation. | No | String | | SMBFileServerAddress | DNS hostname of the file server for setting SMB permissions. | No | DNS Hostname | | SMBShareName | Name of the SMB file share on the target server. | No | String | | SMBPermissionsSet | JSON array of permissions to merge with existing permissions. Example: `[{"Operation":"Grant","AccountName":"SomeUser","AccessRight":"Read"}]` | No | JSON | | SMBOverwriteWithPermissions | JSON array of permissions that overwrite all existing permissions. When set, `SMBPermissionsSet` is ignored. | No | JSON | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs-beta.openiam.com/application-onboarding/connectors/active-directory-powershell-connector/user-provisioning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.