Release Notes › Upgrade Considerations › Reverse Synchronization Policies that Affect Suspension Attributes

Reverse Synchronization Policies that Affect Suspension Attributes

If you create a reverse synchronization policy that detects a new account and suspends it, that suspension could be rejected by a related reverse synchronization policy. Consider the following example:

1. An administrator creates two policies:
   • A policy that detects new Windows account and suspends those accounts
   • A policy that detects changes to the N16SecurityFlag attribute in Windows accounts and rejects that change

     The N16SecurityFlag attribute concerns account suspension.

2. An endpoint user creates a Windows account using native tools on the endpoint.
3. The new account policy suspends the new account.
4. When explore and correlate runs again, it detects the account as modified.
5. The modify account policy detects the change to the N16SecurityFlag attribute and rejects that change. The account is no longer suspended.

This situation affects any endpoint type that handles account suspension. In this example, the modify account policy should detect changes in etSuspend not n16SecurityFlag. Therefore, since the change originates from etSuspend, the N16SecurityFlag is only changed on the endpoint and is not picked up as a changed attribute.