Environment
Identity Manager Driver - Active Directory
Identity Manager 4.x
Identity Manager 4.x
Situation
When syncing Login Expiration Time to Active Directory (accountExpires), the expiration date is set to one day earlier than in the Identity Vault.
Resolution
Make sure your IDM server and Active Directory Server are configured for the correct time zone. They should both be in the same time zone for the Active Directory accountExpires timezone to be set correctly to the same date.
If not, you can create a custom rule that adds one day (86400 seconds) to the Login Expiration Time (eDirectory attribute), or accountExpires (Active Directory attribute), before time conversion in the Output Transformation Policies.
Cause
The typical cause of the issue is that the Domain Controller the Active Directory driver for Identity Manager is synchronizing to has a timezone in a earlier GMT than the IDM server Example: IDM server is configured for GMT -7 and Domain Controller is configured for GMT -8
We have only seen the issue when the Domain Controller is configured in timezones GMT -8 or earlier. Though customers have reported the issue in other timezones.
The end issue appears to be in timezone the Domain Controller is configured for and the way it is updating accountExpires with the value given from the Identity Vault.